Executive Summary
Summit Industrial Group → Northwind Logistics Software
Summit Industrial Group is acquiring Northwind Logistics Software, a SaaS provider of transportation-orchestration and route-optimization software whose revenue ($41.2M ARR) is concentrated in a handful of enterprise logistics customers. This diligence layer interprets findings across legal, finance, commercial, product/tech, cybersecurity, regulatory, HR, tax, and ESG domains, with emphasis on contract-level exit rights triggered by the change of control, IP chain-of-title on the core platform, revenue-recognition quality, and an active EU data-transfer compliance gap. The overall posture is a Conditional Go: no finding is an absolute deal-stopper, but several require pre-close protection before signing.
Conditional Go
Risk Score: 62/100 — High
This analysis supports a Conditional Go, subject to verification by qualified legal, financial, tax, and data-protection advisors. None of the findings rises to the truly exceptional threshold for a No-Go: there is no evidence of fraud, no regulatory prohibition on the transaction, and no irremediable structural defect. The headline exposures — the Meridian Freight change-of-control termination right (30.1% of ARR), the active GDPR cross-border transfer gap affecting the Tidewater tenant (~7.5% of ARR), the missing Cobalt governing MSA (23.3% of ARR), and the unassigned core Route Optimization Engine IP — are all serious but remediable through standard deal mechanics: conditions precedent (customer consent/reaffirmation and production of missing contracts), specific indemnities/escrow, representations and warranties, and purchase-price or earn-out adjustment. The appropriate posture is to proceed while making customer reaffirmation on the top concentrated accounts and resolution of the IP and GDPR items hard closing conditions.
Northwind Logistics Software is a ~$41.2M ARR logistics SaaS target with a high-quality but highly concentrated enterprise book (Top-1 30.1%, Top-3 69.9%, Top-5 88.3%). The single most material item for verification is the Meridian Freight MSA §12.3, which on its face grants Northwind's largest customer (30.1% of ARR) an unconditional, no-cure right to terminate immediately upon a change of control of the provider, exercisable in its sole discretion within 60 days of closing — a right the company's own cap-table summary acknowledges this acquisition would trigger. This is the gating commercial/legal risk and should be neutralized pre-close via a customer consent, standstill, or reaffirmation as a condition precedent, backed by escrow or price protection. Notably, the management board deck (Slide 8) affirmatively represents that no customer-termination or change-of-control items are flagged, which appears inconsistent with the executed contracts and the company's own cap-table cross-reference; this gap bears on the reliability of management representations and argues for robust reps-and-warranties coverage.
Three further work-streams require resolution before close. First, data protection: the company's own 2026-Q1 sub-processor register discloses an OPEN, in-production transfer of EU (Belgian) driver telemetry to a US sub-processor (TelemetryWorks) with no SCCs, no Article 28 DPA, and no Annex 2 listing — an apparent GDPR Chapter V/Article 28 exposure (scoped to the ~7.5%-ARR Tidewater tenant, remediable via SCC/DPA execution or EEA re-routing, plus a specific indemnity). Second, IP chain-of-title: the core Route Optimization Engine was built by an independent contractor under an agreement granting Northwind only a non-exclusive license with no IP assignment or work-for-hire designation; a present assignment from the contractor should be obtained pre-close. Third, revenue quality: management's own FP&A note flags that the $28.8M Cobalt prepaid arrangement was recognized on a front-loaded rather than ratable basis, warranting an ASC 606 quality-of-earnings review, and the governing Cobalt MSA (23.3% of ARR) is absent from the data room entirely.
The remaining findings are second-order valuation and confirmatory-diligence items appropriate to manage through standard mechanics: customer concentration (a durability/pricing input, below deal-killer thresholds), the Harbor Foods termination-for-convenience right (a valuation concern on at-risk ARR), multi-state SaaS sales/use-tax nexus and a possible undisclosed German branch/permanent-establishment exposure (both unquantified pending studies), contractor worker-classification risk, and the absence of restrictive covenants/retention terms for founders and key engineers. Several material documents are missing (the Cobalt and Tidewater MSAs, executed employee IP assignments, charter/Series B SPAs, audited financials, and insurance program), and producing them should be a precondition to final pricing. All conclusions above are findings for verification by the deal team's qualified advisors, not settled legal, tax, or accounting determinations.
Key Takeaways
- ▲ Northwind Logistics flagged across 9 domains (Commercial + Cybersecurity + Esg) with 44 correlated findings representing 100% of contracted revenue — critical compound risk requiring coordinated review (Commercial + Cybersecurity + Esg)
- ● 100% of revenue concentrated in Northwind Logistics — customer retention strategy critical for value preservation (Commercial + Finance)
LegalHigh9
FinanceHigh5
CommercialHigh9
Product & TechMedium3
CybersecurityMedium4
HR / PeopleLow5
TaxLow4
RegulatoryMedium4
ESGLow1
Top Deal Breakers
- Meridian Freight change-of-control termination right (30.1% of ARR), triggered by this acquisition, no cure period
(Northwind_Logistics)
Meridian MSA §12.3 appears to grant the largest customer (~$12.4M ARR, 30.1%) an unconditional right to terminate immediately on a change of control of the provider, exercisable in its sole discretion within 60 days of closing, with a pro-rata refund of prepaid fees and no cure or wind-down. The cap-table summary acknowledges the Summit transaction would constitute a change of control. If exercised, the buyer loses ~30% of ARR plus a refund obligation. Subject to confirmation by legal counsel.
Remediation: Make Meridian's written consent/standstill or reaffirmation of the contract a condition precedent to closing; back-stop with an indemnity/escrow tied to Meridian retention and a purchase-price or earn-out adjustment mechanism if consent cannot be obtained before close. - Missing Cobalt Retail governing MSA (23.3% of ARR, $28.8M prepaid) — undisclosed CoC/termination/refund terms
(Northwind_Logistics)
The Cobalt order form incorporates an MSA dated Dec 18, 2024 that is absent from the data room. Change-of-control, termination, refund, liability, and IP terms governing nearly a quarter of ARR — on a fully cash-collected $28.8M prepayment — cannot be assessed. Given Meridian's severe CoC right, an unreviewed Cobalt MSA represents potential additional undisclosed CoC/refund exposure.
Remediation: Require production of the executed Cobalt MSA and all amendments as a condition precedent; assess CoC/refund exposure and, if mirrored on Meridian's terms, extend the same consent/escrow protection to Cobalt before final pricing. - Active GDPR cross-border transfer gap — EU driver telemetry to US sub-processor (TelemetryWorks) with no SCCs/DPA
(Northwind_Logistics)
The company's own sub-processor register discloses an OPEN, in-production transfer of EU (Belgian) driver telemetry to a US sub-processor with no SCCs, no Article 28 DPA, and no Annex 2 listing — an apparent GDPR Chapter V/Article 28 violation exposing the target (and acquirer post-close) to supervisory-authority enforcement and Tidewater contractual claims. Scoped to the ~7.5%-ARR Tidewater tenant; all remediation items are 'Not started.' Subject to confirmation by data-protection counsel.
Remediation: Require pre-close execution of EU SCCs and an Article 28 DPA with the sub-processor (or re-routing of telemetry to EEA-hosted analytics), Tidewater notification and Annex 2 update, and a specific GDPR-liability indemnity/escrow; harden the DPO sub-processor-approval control. - Core Route Optimization Engine IP not assigned — only a non-exclusive contractor license
(Northwind_Logistics)
A core differentiating platform module was built by an independent contractor under an agreement with no IP assignment and no work-for-hire designation; Northwind holds only a non-exclusive, royalty-free license. The contractor may retain ownership of the source code/algorithms and could license them to competitors — a freedom-to-operate and asset-quality concern for a module embedded in the Meridian, Harbor, and Cobalt subscriptions. Subject to confirmation by IP counsel.
Remediation: Obtain a present, written IP assignment / work-for-hire confirmation from the contractor (Signatory C) as a condition precedent; back-stop with a specific IP indemnity and consider escrow pending assignment. - Cobalt $28.8M prepaid revenue recognition — front-loaded rather than ratable (ARR-quality / QoE)
(Northwind_Logistics)
Management's own FP&A note flags that the 36-month, $28.8M Cobalt prepaid arrangement was recognized with a front-loaded Year-1 tranche rather than ratably (~$9.6M/yr straight-line), potentially overstating recognized revenue and in-period ARR quality. This is a valuation/quality-of-earnings item that may warrant a price adjustment. Subject to confirmation by accounting advisors under ASC 606.
Remediation: Commission a buyer-side ASC 606 quality-of-earnings review and GL deferred-revenue waterfall confirmation; adjust purchase price/earn-out for any restatement of recognized vs. deferred balances. Pair with production of audited financials.
Open Items
⚠
2
Decision Required
2 urgent
🔍
4
Needs More Data
1 urgent
⚖
2
Needs Counsel
2 urgent
📈
2
Needs Auditor
1 urgent
💰
1
Cost TBD
💡
Enhance this report — No buyer_strategy was provided in the deal config, so buyer_thesis_alignment was left empty and findings could not be weighed against Summit's investment rationale. To materially improve this report, the config should include: (1) the buyer's acquisition thesis (e.g., is Northwind valued primarily for its enterprise customer base, the route-optimization IP, geographic expansion into the EU, or a platform consolidation play) so findings can be ranked by their impact on the actual value drivers — for instance, if the thesis rests on the route-optimization technology, the contractor IP gap becomes thesis-critical rather than one of several P1s; (2) expected synergies and integration plans, so data-protection and sub-processor remediation can be scoped against the target's role post-close; (3) the buyer's risk tolerance and deal structure preferences (escrow vs. price adjustment vs. walk-away thresholds), which would let recommendations specify concrete deal mechanics rather than presenting options; and (4) valuation assumptions and how ARR is being credited, so the Cobalt recognition and concentration findings can be tied to a specific price impact. Supplying the missing data-room documents flagged above (Cobalt/Tidewater MSAs, charter, Series B SPAs, audited financials, insurance) would also convert several high-priority open questions into assessable findings. See
docs/user-guide/deal-configuration.md for details.Action Items
Advisory Notice
These recommendations are produced through neurosymbolic analysis — deterministic risk scoring and cross-domain trigger rules guide LLM synthesis across all findings, deal context, and buyer thesis. This is AI-assisted analysis — verify with qualified advisors. They do not constitute legal, financial, or professional counsel.
11
Total Actions
10
Pre-close
0
Day 1
1
30-90 Day
Pre-close (10 actions)
| # | Action | Rationale | Owner | Effort |
|---|---|---|---|---|
| 1 | Make a written Meridian Freight consent, waiver, or standstill of its §12.3 change-of-control termination right a hard condition precedent to closing. Re: Meridian Freight (30.1% of ARR) holds un, Largest customer (Meridian, 30.1% of ARR | Meridian is 30.1% of ARR ($12.4M) and its no-cure CoC right is triggered by this acquisition; without a waiver the buyer risks losing nearly a third of revenue plus a pro-rata refund on day one. | M&A Counsel | weeks |
| 2 | Obtain and review the executed Cobalt Retail MSA dated Dec 18, 2024 before close, and treat production of it as a condition precedent. Re: Cobalt Retail (23.3% of ARR, $28.8M prep | The Cobalt MSA governs 23.3% of ARR on a fully cash-collected $28.8M prepayment but is absent from the data room, leaving CoC, refund, liability, and IP terms unassessed — potential undisclosed exposure mirroring Meridian. | Legal Counsel | days |
| 3 | Require a documented GDPR remediation plan for the TelemetryWorks transfer — execute SCCs and an Article 28 DPA, notify/obtain Tidewater approval, or re-route EU telemetry to the EEA — as a closing condition backed by a specific GDPR-liability indemnity/escrow. Re: GDPR violation: EU driver telemetry (Tid, Unlawful EU-to-US transfer of EU driver | The transfer is an active Chapter V/Article 28 violation open in the company's own register with no remediation started; on close Summit inherits enforcement exposure (up to 4% of global turnover) and Tidewater contractual claims. | Data Protection Counsel | weeks |
| 4 | Secure a present IP assignment / work-for-hire confirmation from the Route Optimization Engine contractor (Signatory C) as a closing condition, backed by a specific IP indemnity. Re: Core Route Optimization Engine built by | A core differentiating module embedded in the Meridian, Harbor, and Cobalt subscriptions is held under only a non-exclusive license; without assignment the contractor could retain ownership and license to competitors. | IP Counsel | weeks |
| 5 | Engage accounting advisors to confirm ASC 606 timing on the $28.8M Cobalt prepayment and restate recognized vs. deferred revenue, then reflect any adjustment in purchase price or earn-out. Re: Cobalt $28.8M prepaid recognized front-l | Front-loaded Year-1 recognition rather than ratable (~$9.6M/yr) overstates revenue and ARR quality; ~$16.8M may belong in deferred revenue, directly affecting valuation. | CFO | weeks |
| 6 | Quantify and require balance-sheet reserving of the Harbor Foods pro-rata refund liability, and pursue a committed-term reaffirmation from Harbor. Re: Harbor Foods (16.5% of ARR) holds termin | Harbor (16.5% of ARR) can terminate for convenience on 30 days' notice with a pro-rata refund that is currently unreserved, leaving the obligation understated and the revenue non-committed. | CFO | days |
| 7 | Have M&A counsel reconcile the board-deck representation (Slide 8: 'no customer-termination, change-of-control, or contract-portability items flagged') against the Meridian §12.3 clause and broaden the representations-and-warranties review. Re: Meridian Freight (30.1% of ARR) holds un | The board deck materially understates the most significant exposure in the data room, which raises a reliability-of-management concern affecting trust in other disclosures. | M&A Counsel | days |
| 8 | Secure renewal/consent reaffirmation from the full Top-3 cohort (Meridian, Cobalt, Harbor) and obtain renewal/churn history for the Top-5 accounts. Re: High customer concentration: Top-1 30.1% | Top-3 concentration is 69.9% and Top-5 is 88.3% of ARR; each anchor account carries its own exit lever, so the concentration is a deal-protection priority, not just an observation. | Deal Team | weeks |
| 9 | Collect executed employee IP-assignment agreements where they are currently unsigned. Re: Core Route Optimization Engine built by | Unsigned employee IP forms compound the contractor IP gap and weaken clean title to in-house platform IP; cleanup is straightforward but should be done before or shortly after close. | Legal Counsel | days |
| 10 | Engage tax advisors to size the multi-state SaaS sales/use-tax nexus and the possible German branch/PE and VAT exposure, then determine whether a specific indemnity or escrow is warranted. Re: Unlawful EU-to-US transfer of EU driver | These exposures are flagged but unquantified; sizing them pre-close lets the buyer price or ring-fence the risk rather than inherit an unknown liability. | Tax Advisor | weeks |
Post-close 30d (1 actions)
| # | Action | Rationale | Owner | Effort |
|---|---|---|---|---|
| 1 | Run a full sub-processor audit and fix the DPO approval workflow so no EU data flows to an unapproved sub-processor; verify as a 30-day post-close integration item. Re: Unlawful US transfer of EU driver teleme | The TelemetryWorks transfer originated from Platform Engineering bypassing the DPO approval workflow, indicating a governance gap that may have produced other unapproved flows. | CTO | weeks |
Revenue-at-Risk & Financial Impact
$28.8M
Total Contracted ARR
$28.8M
Revenue at Risk (100%)
$0
Risk-Adjusted ARR
Revenue-at-Risk Waterfall
Total Contracted ARR
$28.8M
Change of Control Exposure
-$28.8M (1 entities)
Termination for Convenience
-$28.8M (1 entities)
Pricing & Discount Risk
-$28.8M (1 entities)
Risk-Adjusted ARR
$0
Entity Revenue Concentration
Northwind Logistics
$28.8M (100%)
$28.8M (100%)
Revenue data available for 1 of 2 entities (50%). Entities without revenue data are excluded from financial impact calculations.
Valuation Impact Bridge
$28.8M
Total ARR
$0
Risk-Adjusted ARR
$28.8M
Total Exposure
100.0%
Exposure %
Revenue exposure at 100.0%
Total risk exposure of $28.8M represents 100.0% of ARR. Significant valuation adjustment required.
Valuation Impact at Multiples
| Multiple | Gross Valuation | Risk Adjustment | Net Valuation |
|---|---|---|---|
| 5x | $144.0M | $144.0M | $0 |
| 8x | $230.4M | $230.4M | $0 |
| 12x | $345.6M | $345.6M | $0 |
Risk Category Breakdown
| Category | Exposure | % of Total |
|---|---|---|
| Change Of Control | $28.8M | 100.0% |
| Termination For Convenience | $28.8M | 100.0% |
| Pricing Risk | $28.8M | 100.0% |
Severity:
Domain:
Domain Overview
LegalHigh
9 findings
- P1 Meridian Freight (30.1% of ARR) holds immediate, no-cur
- P1 Core Route Optimization Engine built by contractor with
- P1 GDPR violation: EU driver telemetry (Tidewater) transfe
The Meridian change-of-control termination right (30.1% of ARR) and a missing Cobalt MSA (23.3% of ARR) put nearly half of revenue under unassessed or transaction-triggered contractual exit risk.
View details →
FinanceHigh
5 findings
- P0 Largest customer (Meridian, 30.1% of ARR) holds uncondi
- P1 Cobalt $28.8M prepaid recognized front-loaded in Year 1
- P1 High customer concentration: Top-1 30.1% and Top-3 69.9
Revenue quality is overstated by front-loaded recognition of the $28.8M Cobalt prepayment, while ~30% of ARR is exposed to a single transaction-triggered termination right.
View details →
CommercialHigh
9 findings
- P0 Meridian Freight (30.1% of ARR) holds unconditional imm
- P1 Harbor Foods (16.5% of ARR) holds termination-for-conve
- P1 Cobalt Retail (23.3% of ARR, $28.8M prepaid) governed b
Revenue durability hinges on three enterprise contracts (Top-3 = 69.9% of ARR), each carrying its own exit lever.
View details →
Product & TechMedium
3 findings
- P1 Unlawful US transfer of EU driver telemetry to unauthor
- P2 Tidewater DPA Annex 2 sub-processor list does not recon
- P2 Aggressive SLA commitments (99.9% uptime, 1-hour critic
The core Route Optimization Engine was contractor-built with no IP assignment — Northwind holds only a non-exclusive license to a flagship module.
View details →
CybersecurityMedium
4 findings
- P1 Unlawful cross-border transfer of EU driver personal da
- P2 Critical sub-processor onboarded outside DPO security-r
- P3 Documented contractual security controls (TOMs) exist o
An active, in-production EU-to-US transfer of driver telemetry to an unapproved sub-processor sits open in the company's own register with no remediation started.
View details →
HR / PeopleLow
5 findings
- P2 Worker misclassification risk: sole-proprietor contract
- P2 Key-person dependency: single contractor built core Rou
- P2 Standard employee agreement contains no non-compete or
Employee IP-assignment forms appear unsigned, creating a secondary chain-of-title gap alongside the contractor IP issue.
View details →
TaxLow
4 findings
- P2 Multi-state sales/use tax nexus exposure on SaaS revenu
- P2 Undisclosed German/EEA branch operations create permane
- P3 Worker-classification risk on Route Optimization Engine
Tax exposure is unquantified rather than absent — multi-state SaaS nexus and a possible undisclosed German PE/VAT position need sizing.
View details →
RegulatoryMedium
4 findings
- P1 Unlawful EU-to-US transfer of EU driver telemetry to Te
- P2 Date discrepancy in Tidewater DPA execution date betwee
- P2 Sub-processor change-notification obligation to EU cust
The EU driver-telemetry transfer is an apparent live GDPR Chapter V / Article 28 violation exposing the acquirer to enforcement and Tidewater contractual claims post-close.
View details →
ESGLow
1 finding
- P3 ESG governance gap: vendor onboarded outside DPO approv
No material ESG exposure surfaced; a single low-severity item noted.
View details →
Top Priority Findings
#1
P0 Largest customer (Meridian, 30.1% of ARR) holds unconditional immediate CoC termination right triggered by this acquisit
Finance — Northwind Logistics
#2
P0 Meridian Freight (30.1% of ARR) holds unconditional immediate termination right triggered by Summit's acquisition, no cu
Commercial — Northwind Logistics
#3
P1 Meridian Freight (30.1% of ARR) holds immediate, no-cure CoC termination right triggered by this acquisition
Legal — Northwind Logistics
#4
P1 GDPR violation: EU driver telemetry (Tidewater) transferred to US sub-processor with no SCCs, no DPA, no Annex 2 listing
Legal — Northwind Logistics
#5
P1 Cobalt $28.8M prepaid recognized front-loaded in Year 1 rather than ratably — overstates revenue/ARR quality; possible r
Finance — Northwind Logistics
Cross-Domain Risk Correlation
Compound Risk Connections
P0 Northwind Logistics44 findings across 9 domains
Commercial
Cybersecurity
ESG
Finance
HR / People
Legal
Product & Tech
Regulatory
Tax
Product capabilities affect commercial commitments — verify that roadmap obligations are technically feasible
Domain Interaction Matrix
| Commercial | Cybersecurity | ESG | Finance | HR / People | Legal | Product & Tech | Regulatory | Tax | |
|---|---|---|---|---|---|---|---|---|---|
| Commercial | — | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 |
| Cybersecurity | 1 | — | 1 | 1 | 1 | 1 | 1 | 1 | 1 |
| ESG | 1 | 1 | — | 1 | 1 | 1 | 1 | 1 | 1 |
| Finance | 1 | 1 | 1 | — | 1 | 1 | 1 | 1 | 1 |
| HR / People | 1 | 1 | 1 | 1 | — | 1 | 1 | 1 | 1 |
| Legal | 1 | 1 | 1 | 1 | 1 | — | 1 | 1 | 1 |
| Product & Tech | 1 | 1 | 1 | 1 | 1 | 1 | — | 1 | 1 |
| Regulatory | 1 | 1 | 1 | 1 | 1 | 1 | 1 | — | 1 |
| Tax | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | — |
Cross-Domain Verification
The following cross-domain verifications were automatically triggered when specialist agents identified findings requiring validation by other domains.
| Entity | Source | Target | Type | Priority |
|---|---|---|---|---|
| northwind_logistics | producttech | legal | data_privacy_compliance | ● P1 |
| northwind_logistics | legal | finance | termination_revenue_exposure | ● P1 |
Legal (9 findings)
High ▶| Category | Findings | Severity Mix | Top Entity |
|---|---|---|---|
| Change of Control | 4 | P1:1, P2:2, P3:1 | Northwind Logistics |
| IP & Ownership | 1 | P1:1 | Northwind Logistics |
| Data Privacy & Security | 1 | P1:1 | Northwind Logistics |
| Termination & Exit | 1 | P2:1 | Northwind Logistics |
| Liability & Indemnification | 1 | P3:1 | Northwind Logistics |
| Employment & Benefits | 1 | P3:1 | Northwind Logistics |
Change of Control (4 findings, P1:1, P2:2, P3:1)▶
Northwind Logistics
● P1 Meridian Freight (30.1% of ARR) holds immediate, no-cure CoC termination right triggered by this acquisition ▶
Source: Northwind Logistics | Agent: legal
CoC subtype: termination-right held by the Customer (Meridian), exercisable in sole and absolute discretion. The MSA §12.3 grants Meridian the right to terminate immediately upon a Change of Control of Provider, with NO cure period, NO transition/wind-down obligation, no breach required, and a pro-rata refund of prepaid fees. The 60-day period is the window to exercise the right (not a cure window). Meridian is Northwind's largest customer at $12,400,000 ARR (30.1% of total ARR per board deck / ARR schedule), under a 3-year term through 2027-12-31. The cap table summary §5.2-5.3 expressly states the Summit acquisition 'constitutes a Change of Control' and 'may trigger rights under' the Meridian MSA §12.3. This is the single most material legal risk in the data room and sits at the P0/P1 boundary; it is classified P1 (not P0) because termination requires Meridian's affirmative election rather than being automatic, but it requires pre-close deal protection (customer consent/waiver, escrow, or price adjustment). Note: Northwind board deck Slide 8 affirmatively represents 'No customer-termination, change-of-control, or contract-portability items are flagged in this excerpt' — which understates this exposure.
Confidence: high
Northwind_Logistics/msa_meridian_freight.pdf.md (Section 12.3(c))“in the event of a Change of Control of Provider, Customer may terminate this Agreement, effective immediately, by delivering written notice of such election to Provider (or its successor) at any time within sixty (60) days following the later of (i) the closing of the Change of Control or (ii) Customer's receipt of the notice required under Section 12.3(b). Such termination shall be automatic and effective upon Customer's written election, and shall not require the consent of Provider or its successor, nor shall it be subject to any cure period, transition period, or wind-down obligation.”
Northwind_Logistics/msa_meridian_freight.pdf.md (Section 12.3(d))“Customer's termination right under this Section 12.3 is exercisable in Customer's sole and absolute discretion, is not conditioned on any breach or change in service, and is not subject to any limitation, cap, or carve-out.”
Northwind_Logistics/cap_table_summary.pdf.md (Section 5.3)“the Meridian Freight Corporation Master Services Agreement, §12.3 (Change of Control), grants the customer rights upon a Change of Control of Provider as defined in §5.1 above. The consummation of the Transaction is expected to constitute a Change of Control for purposes of, and may trigger rights under, such customer agreements.”
Northwind_Logistics/arr_schedule.xlsx.md (Sheet 2 — ARR by Customer, Row 1)“Meridian Freight Corporation | Enterprise / 3PL | $12,400,000 | 30.1%”
◆ P2 Granite Manufacturing CoC requires counterparty consent to assign (consent not unreasonably withheld); no termination ri ▶
Source: Northwind Logistics | Agent: legal
CoC subtype: consent-required (for assignment), with a notification component. Granite MSA §10.2 requires the Provider undergoing a Change of Control to notify Granite within 30 days and permits assignment to the acquirer only upon Granite's prior written consent, 'which consent shall not be unreasonably withheld, conditioned, or delayed,' and consent may reasonably be withheld only where the acquirer is a direct competitor or financially incapable. Critically, the clause states 'A Change of Control shall not, by itself, give either Party any right to terminate this Agreement.' Granite = $4,500,000 ARR (10.9%). Because Northwind survives as the contracting entity in a stock acquisition (no assignment of the contract is strictly required), the consent standard is reasonable, the buyer is not a competitor, and there is no termination right, this is a manageable P2 (notification + reasonable consent) rather than P1. Obtain Granite consent/acknowledgement as a routine pre-close integration step.
Confidence: high
Northwind_Logistics/msa_granite_manufacturing.pdf.md (Section 10.2 (Change of Control))“The Party undergoing the Change of Control may assign this Agreement to the acquiring or surviving entity **upon the prior written consent of the other Party, which consent shall not be unreasonably withheld, conditioned, or delayed.** For purposes of this Section 10.2, it shall be deemed reasonable for the non-assigning Party to withhold consent only where the acquiring or surviving entity is a direct competitor of such non-assigning Party or is unable to demonstrate the financial and operational capacity to perform the obligations under this Agreement. **A Change of Control shall not, by itself, give either Party any right to terminate this Agreement.**”
◆ P2 Acquisition triggers Series B protective provision requiring investor consent to change of control ▶
Source: Northwind Logistics | Agent: legal
The Series B Preferred protective provisions include a consent right over change of control and sale of all/substantially all assets. The cap table confirms the Summit transaction constitutes a Change of Control under the Certificate of Incorporation and Series B Stock Purchase Agreement. Closing therefore requires Series B investor consent (Investor Entity X holds 15.59% fully-diluted; founders hold 49.54% — no single majority holder). This is routine deal-mechanics requiring shareholder/preferred-stockholder approval; manageable as a closing condition (P2), not a deal risk on its own. Underlying Certificate of Incorporation and Series B SPA (Exhibits C and D) are referenced but not present in the data room — see gaps.
Confidence: medium
Northwind_Logistics/cap_table_summary.pdf.md (Section 4 (Series B Preferred — Key Terms, Protective Provisions))“Customary; includes consent for change of control, sale of all/substantially all assets, and amendment of Certificate of Incorporation”
Northwind_Logistics/cap_table_summary.pdf.md (Section 5.2)“The proposed acquisition by Summit Industrial Group, LLC of more than fifty percent (50%) of the Company's outstanding equity (and/or substantially all of its assets) **constitutes a Change of Control** under the foregoing definition.”
○ P3 Harbor Foods MSA permits assignment in M&A without consent; CoC gives no termination right (favorable) ▶
Source: Northwind Logistics | Agent: legal
CoC subtype: notification-style permitted assignment (favorable to acquirer). Harbor Foods §12.1 allows either party to assign the agreement without consent in connection with a merger/acquisition/reorganization on written notice, and expressly states a change of control of Provider gives Customer no termination right. This is acquirer-favorable and informational. (Note: Harbor's separate TfC right under §10.4 is the material item — reported as P1 above.)
Confidence: high
Northwind_Logistics/msa_harbor_foods.pdf.md (Section 12.1 (Assignment))“either Party may assign this Agreement, upon written notice and without consent, in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets. For the avoidance of doubt, a change of control of Provider shall not give rise to any right of Customer to terminate this Agreement.”
IP & Ownership (1 findings, P1:1)▶
Northwind Logistics
● P1 Core Route Optimization Engine built by contractor with NO IP assignment — only a non-exclusive license to Northwind ▶
Source: Northwind Logistics | Agent: legal
The Route Optimization Engine — described in the SOW as 'a core differentiating feature of the Platform's transportation-orchestration module' that 'is intended to power high-volume enterprise deployments, including Company's largest enterprise customer accounts' — was built by an independent contractor (Signatory C) under a contractor agreement that contains NO IP assignment and NO work-made-for-hire designation. Northwind received only a non-exclusive, royalty-free license (§6.2). The contractor therefore retains ownership of the source code and algorithms of a core platform component and could license the same IP to competitors. The agreement's own data-room note expressly flags this, contrasting it with Northwind's employee IP agreement under which employees presently assign all work product. This is a material IP ownership gap directly within the deal's stated 'IP ownership of core platform components, including any contractor-built modules' diligence focus. Requires pre-close remediation (obtain a present assignment / work-for-hire confirmation from Signatory C) and likely a specific indemnity/escrow. The route-optimization module is also expressly part of the Meridian, Harbor Foods, and Cobalt subscriptions, magnifying the exposure.
Confidence: high
Northwind_Logistics/contractor_agreement_route_engine.pdf.md (End-of-SOW data-room reviewer note)“This Agreement contains no provision assigning, transferring, or vesting in Company ownership of, or any work-made-for-hire designation with respect to, the intellectual property, source code, algorithms, or other work product created by Contractor in connection with the Services. The only grant in favor of Company is the non-exclusive license set forth in Section 6.2.”
Northwind_Logistics/contractor_agreement_route_engine.pdf.md (Section 6.2 (License to Company))“Contractor hereby grants to Company a non-exclusive, worldwide, royalty-free license to use, reproduce, modify, and incorporate the Deliverables into the Platform and to operate the Platform for Company's business purposes.”
Northwind_Logistics/contractor_agreement_route_engine.pdf.md (Exhibit A SOW §1 (Background and Objective))“the Engine is intended to be incorporated into the Platform”
Data Privacy & Security (1 findings, P1:1)▶
Northwind Logistics
● P1 GDPR violation: EU driver telemetry (Tidewater) transferred to US sub-processor with no SCCs, no DPA, no Annex 2 listing ▶
Source: Northwind Logistics | Agent: legal
Northwind streams real-time EU driver location/GPS telemetry for the Tidewater (Belgium) tenant to TelemetryWorks Inc., a US sub-processor in Portland, Oregon, for route analytics. Per the company's own sub-processor register this transfer has NO lawful basis: TelemetryWorks is NOT listed in the Tidewater DPA Annex 2 (violating DPA §5.1's prior-notice/approval requirement), there are NO Standard Contractual Clauses on file, no EU-US Data Privacy Framework certification verified, and no executed Article 28 DPA between Northwind and TelemetryWorks. The data flow is active in production and the gap is recorded as 'OPEN — unresolved as of 2026-Q1 review'; all remediation items are 'Not started.' This is a live GDPR Chapter V (international transfer) and Article 28 (sub-processing) violation affecting EU data subjects, exposing the target (and acquirer post-close) to supervisory-authority enforcement and Tidewater contractual claims. Tidewater = $3,100,000 ARR / 7.5% of total ARR. Requires pre-close remediation plan and indemnity.
Confidence: high
Northwind_Logistics/subprocessor_register.pdf.md (Section 3, Row 3 (TelemetryWorks Inc.))“SCCs: none on file. No DPA executed with Northwind covering EU data. No adequacy basis. Transfer mechanism: NONE.”
Northwind_Logistics/subprocessor_register.pdf.md (Section 4.2 (The compliance gaps))“The telemetry data is personal data of EU data subjects (Belgian drivers) transferred from the EEA to the United States. **No EU Standard Contractual Clauses (SCCs) are on file**, no EU–US Data Privacy Framework certification has been verified for TelemetryWorks, and no other Article 46 transfer mechanism is in place. The US transfer currently has **no lawful transfer basis** documented.”
Northwind_Logistics/dpa_tidewater.pdf.md (Section 5.3 (Sub-processing))“Where any Sub-processor is established in, or Processes EU Personal Data from, a country outside the European Economic Area that has not been the subject of an adequacy decision, the Processor shall ensure that such transfer is covered by the Standard Contractual Clauses or another valid transfer mechanism under Chapter V GDPR, and shall list such Sub-processor in Annex 2 together with the applicable transfer safeguard.”
Termination & Exit (1 findings, P2:1)▶
Northwind Logistics
◆ P2 Harbor Foods (16.5% of ARR) holds 30-day termination-for-convenience right with pro-rata refund ▶
Source: Northwind Logistics | Agent: legal
Termination subtype: Termination for Convenience (TfC), unilateral right held by the Customer (Harbor Foods). Harbor may terminate the entire agreement for convenience without cause on only 30 days' notice, with a pro-rata refund of prepaid fees and no early-termination fee or penalty. Harbor Foods is $6,800,000 ARR (16.5% of total ARR). Per legal severity calibration, a TfC clause is normally a P2 valuation concern, but escalates to P1 when TfC affects >10% of revenue with <90-day notice — both conditions are met here (16.5% revenue; 30-day notice). This is non-committed, at-risk ARR that lowers revenue quality/RPO certainty and should factor into ASC 606 RPO and purchase-price/earn-out analysis. The ARR schedule also notes the resulting refund liability is 'not currently reserved.'
Confidence: high
Northwind_Logistics/msa_harbor_foods.pdf.md (Section 10.4 (Termination for Convenience by Customer))“Customer may terminate this Agreement, in whole, for convenience and without cause at any time upon thirty (30) days' prior written notice to Provider. In the event of such termination for convenience, Provider shall refund to Customer, within thirty (30) days following the effective date of termination, a pro-rata portion of any Prepaid Fees attributable to the period from and after the effective date of termination through the end of the then-current term. No early-termination fee, penalty, or wind-down charge shall be payable by Customer in connection with a termination under this Section 10.4.”
Northwind_Logistics/arr_schedule.xlsx.md (Sheet 4 §4.2 (Other Recognition Notes))“Harbor Foods ($6.8M):** Annual billing; subject to pro-rata refund on termination for convenience (see MSA §10.4) — refund liability not currently reserved.”
Liability & Indemnification (1 findings, P3:1)▶
Northwind Logistics
○ P3 Standard mutual liability caps (12-month fees) across enterprise MSAs ▶
Source: Northwind Logistics | Agent: legal
All four enterprise customer contracts (Meridian §10.2, Harbor §11.2, Granite §11.2, and the Cobalt order form via incorporated MSA) cap each party's aggregate liability at the fees paid/payable in the 12 months preceding the claim, with standard carve-outs for confidentiality breach, indemnification, and gross negligence/willful misconduct. These are market-standard mutual caps; informational, no action required. The contractor agreement (§8.2) caps the contractor's liability at the total fixed fee ($185,000) — low relative to the IP exposure noted above.
Confidence: high
Northwind_Logistics/msa_meridian_freight.pdf.md (Section 10.2)“EACH PARTY'S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT SHALL NOT EXCEED THE FEES PAID OR PAYABLE BY CUSTOMER IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM.”
Northwind_Logistics/contractor_agreement_route_engine.pdf.md (Section 8.2)“CONTRACTOR'S AGGREGATE LIABILITY UNDER THIS AGREEMENT SHALL NOT EXCEED THE TOTAL FIXED FEE PAID HEREUNDER.”
Employment & Benefits (1 findings, P3:1)▶
Northwind Logistics
○ P3 Employee IP assignment standard form is robust (present assignment + work-for-hire) but applies only to employees ▶
Source: Northwind Logistics | Agent: legal
Northwind's standard-form Employee Proprietary Information and Inventions Assignment Agreement contains a strong present assignment of all Company Inventions (§3.1) and a work-made-for-hire clause (§3.2), and is assignable by the Company to a successor without employee consent (§8.6) — favorable for the acquirer. The agreement's own scope note confirms this assignment does NOT extend to non-employee contractors absent an equivalent contractor assignment, which is precisely the gap in the Route Optimization Engine contractor agreement (reported P1 above). Informational; the form itself is sound.
Confidence: high
Northwind_Logistics/employment_ip_agreement.pdf.md (Section 3.1 (Present Assignment))“Employee hereby irrevocably assigns, transfers, and conveys to the Company all right, title, and interest, throughout the world and in perpetuity, in and to all Company Inventions and any and all associated intellectual property rights”
Northwind_Logistics/employment_ip_agreement.pdf.md (Note on Scope)“the present-tense assignment in Section 3 above does **not** automatically extend to non-employee contractors unless an equivalent assignment is executed in the applicable contractor agreement.”
Finance (5 findings)
High ▶| Category | Findings | Severity Mix | Top Entity |
|---|---|---|---|
| Revenue Recognition | 2 | P0:1, P1:1 | Northwind Logistics |
| Revenue Composition | 2 | P1:1, P2:1 | Northwind Logistics |
| pricing | 1 | P3:1 | Northwind Logistics |
Revenue Recognition (2 findings, P0:1, P1:1)▶
Northwind Logistics
▲ P0 Largest customer (Meridian, 30.1% of ARR) holds unconditional immediate CoC termination right triggered by this acquisit ▶
Source: Northwind Logistics | Agent: finance
The Meridian Freight MSA (§12.3) grants Customer the right to terminate immediately upon a Change of Control of Provider, in its 'sole and absolute discretion,' with no cure period, no cap, and no carve-out, exercisable within 60 days of closing/notice. The cap_table_summary confirms the Summit acquisition 'constitutes a Change of Control' and 'may trigger rights under' this agreement. Meridian is the single largest customer at $12,400,000 ARR (30.1% of total $41.2M ARR per the ARR schedule). From a finance lens this places 30.1% of ARR at risk of unilateral loss at closing, plus a contractual obligation to refund prepaid fees pro-rata for the unused portion of the then-current annual period. This exceeds the 20%-revenue / no-cure CoC threshold for a deal-stopper and warrants pre-close protection (customer reaffirmation/consent, escrow, or price adjustment). Legal owns the clause analysis; this finding quantifies the revenue-at-risk and refund exposure.
Confidence: high
Northwind_Logistics/msa_meridian_freight.pdf.md (§12.3(c)-(d) Change of Control of Provider)“in the event of a Change of Control of Provider, Customer may terminate this Agreement, effective immediately, by delivering written notice of such election to Provider (or its successor) at any time within sixty (60) days following the later of (i) the closing of the Change of Control or (ii) Customer's receipt of the notice required under Section 12.3(b). Such termination shall be automatic and effective upon Customer's written election, and shall not require the consent of Provider or its successor, nor shall it be subject to any cure period, transition period, or wind-down obligation.”
Northwind_Logistics/arr_schedule.xlsx.md (Sheet 2 — ARR by Customer, Row 1 (Meridian Freight Corporation))“| 1 | Meridian Freight Corporation | Enterprise / 3PL | $12,400,000 | 30.1% | Annual, in advance | 2027-12-31 |”
Northwind_Logistics/cap_table_summary.pdf.md (§5.3 Cross-Reference — Customer Agreements)“The consummation of the Transaction is expected to constitute a Change of Control for purposes of, and may trigger rights under, such customer agreements.”
● P1 Cobalt $28.8M prepaid recognized front-loaded in Year 1 rather than ratably — overstates revenue/ARR quality; possible r ▶
Source: Northwind Logistics | Agent: finance
Management's own FP&A note flags that the Cobalt Retail 36-month, $28,800,000 prepaid arrangement (cash collected in full 2025-01-15) was recognized with a front-loaded Year-1 tranche instead of ratably over the 36-month service period. Straight-line recognition would be ~$9,600,000/yr (~$800,000/month), and deferred revenue at 2026-03-31 should reflect ~21 unconsumed months (~$16,800,000). The current treatment overstates recognized revenue and the durability of in-period ARR, and the board deck characterizes the prepayment as a positive boost to 'in-period revenue.' Cobalt is 23.3% of ARR ($9.6M). This requires buyer-side confirmation of ASC 606 performance-obligation timing and restatement of recognized vs. deferred balances; a price/quality-of-earnings adjustment may be warranted.
Confidence: high
Northwind_Logistics/arr_schedule.xlsx.md (Sheet 4 §4.1 — FP&A recognition note (FLAGGED FOR REVIEW))“The Cobalt $28.8M / 36-month prepaid arrangement was recognized with a **front-loaded Year-1 tranche** rather than **ratably over the 36-month service period**. Under a ratable basis, recognized revenue would approximate $9,600,000 per annum ($800,000/month) straight-line. The current treatment recognizes a disproportionate share in Year 1 (FY2025), which **overstates recognized revenue and ARR quality** relative to the ratable/straight-line method customary for over-time SaaS subscription delivery.”
Northwind_Logistics/order_form_cobalt_retail.pdf.md (§4.3 Prepaid Billing / §4.5 Invoice and Collection)“the **entire Total Contract Value of $28,800,000 is payable in a single up-front installment** covering the full 36-month Initial Term.”
Northwind_Logistics/board_deck_excerpt.pdf.md (Slide 4 — Business Highlights)“a **$28.8M total contract value** (36-month term) **invoiced and cash-collected in full in January 2025**. Management views this as a landmark validation of the platform and a meaningful boost to in-period revenue.”
Revenue Composition (2 findings, P1:1, P2:1)▶
Northwind Logistics
● P1 High customer concentration: Top-1 30.1% and Top-3 69.9% of ARR; durability hinges on three enterprise contracts ▶
Source: Northwind Logistics | Agent: finance
The ARR schedule reports Top-1 concentration of 30.1% (Meridian), Top-3 of 69.9% (Meridian + Cobalt + Harbor = $28.8M), and Top-5 of 88.3%. Management's own FP&A note states Top-1 sits at/above the 30% internal threshold and Top-3 indicates limited diversification. While below the absolute deal-killer thresholds (single >40%, Top-3 >70% — Top-3 here is 69.9%, marginally under), the concentration is material and is compounded by the Meridian CoC termination right (see related P0) and the Harbor termination-for-convenience right. Buyer should treat the top-3 cohort renewal/term risk as a diligence and deal-protection priority.
Confidence: high
Northwind_Logistics/arr_schedule.xlsx.md (Sheet 1 §1.1 Headline Metrics and §2.3 Concentration Analysis)“Top-1 customer concentration of 30.1% sits at/above the 30% internal concentration threshold. Top-3 of 69.9% indicates limited revenue diversification across the enterprise book.”
◆ P2 Core route-optimization engine IP not assigned to Company (only non-exclusive license) — valuation/asset-quality risk ▶
Source: Northwind Logistics | Agent: finance
The Route Optimization Engine — described as 'a core differentiating feature' powering the largest enterprise deployments — was built by an independent contractor for a fixed fee of $185,000. The agreement grants Company only a non-exclusive license (§6.2) and contains NO IP assignment or work-made-for-hire designation, in contrast to the employee PIIA's present assignment. From a finance/valuation lens, a core revenue-generating asset of the platform is not owned outright, creating asset-quality and potential remediation-cost exposure (re-licensing / buy-out / rebuild). Legal/IP owns the ownership-defect severity; flagged here for valuation impact and cross-referenced.
Confidence: high
Northwind_Logistics/contractor_agreement_route_engine.pdf.md (Exhibit A note (data-room reviewer reference) and §6.2 License to Company)“This Agreement contains no provision assigning, transferring, or vesting in Company ownership of, or any work-made-for-hire designation with respect to, the intellectual property, source code, algorithms, or other work product created by Contractor in connection with the Services. The only grant in favor of Company is the non-exclusive license set forth in Section 6.2.”
Northwind_Logistics/contractor_agreement_route_engine.pdf.md (§3.1 Fixed Fee)“Company shall pay Contractor a fixed fee of **One Hundred Eighty-Five Thousand U.S. Dollars ($185,000.00)**”
pricing (1 findings, P3:1)▶
Northwind Logistics
○ P3 Cobalt renewal uplift capped at 5%; Cobalt mid-term price held firm — standard pricing terms ▶
Source: Northwind Logistics | Agent: finance
The Cobalt order form holds the $9,600,000 annual fee firm for the full 36-month term with no mid-term escalation, and caps renewal uplift at 5%. These are standard, customer-favorable but unremarkable pricing terms with no adverse financial impact; noted for completeness.
Confidence: high
Northwind_Logistics/order_form_cobalt_retail.pdf.md (§5.2 Renewal / §6.2 Price Hold)“Fees for any Renewal Term shall be the then-current Initial Term annual fee plus an uplift not to exceed five percent (5%), unless otherwise agreed in writing.”
Commercial (9 findings)
High ▶| Category | Findings | Severity Mix | Top Entity |
|---|---|---|---|
| Customer Satisfaction | 4 | P1:1, P2:2, P3:1 | Northwind Logistics |
| change_of_control | 2 | P0:1, P3:1 | Northwind Logistics |
| undisclosed_material_contract | 1 | P1:1 | Northwind Logistics |
| Customer Concentration | 1 | P2:1 | Northwind Logistics |
| sla_compliance | 1 | P3:1 | Northwind Logistics |
Customer Satisfaction (4 findings, P1:1, P2:2, P3:1)▶
Northwind Logistics
● P1 Harbor Foods (16.5% of ARR) holds termination-for-convenience right on 30 days' notice with pro-rata refund; refund liab ▶
Source: Northwind Logistics | Agent: commercial
The Harbor Foods MSA §10.4 gives the customer an unconditional right to terminate for convenience and without cause at any time on only 30 days' written notice, with a pro-rata refund of prepaid fees and no early-termination fee or penalty. Harbor Foods represents $6,800,000 / 16.5% of total ARR. Under the commercial calibration, termination-for-convenience on a >10%-revenue customer with <90-day notice is a P1 'at-risk ARR' valuation concern requiring deal protection. Compounding the exposure, the ARR schedule notes the pro-rata refund liability on Harbor Foods is 'not currently reserved.' Harbor also auto-renews in 1-year terms with a 60-day non-renewal window, so the relationship is non-committed beyond the current term. The Harbor MSA §12.1 expressly provides that a change of control of Provider does NOT give a termination right (unlike Meridian), so the CoC exposure here is limited to the standing TfC right.
Confidence: high
Northwind_Logistics/msa_harbor_foods.pdf.md (Section 10.4 Termination for Convenience by Customer)“Customer may terminate this Agreement, in whole, for convenience and without cause at any time upon thirty (30) days' prior written notice to Provider. In the event of such termination for convenience, Provider shall refund to Customer, within thirty (30) days following the effective date of termination, a pro-rata portion of any Prepaid Fees attributable to the period from and after the effective date of termination through the end of the then-current term.”
Northwind_Logistics/arr_schedule.xlsx.md (Sheet 4.2 Other Recognition Notes (Harbor Foods))“**Harbor Foods ($6.8M):** Annual billing; subject to pro-rata refund on termination for convenience (see MSA §10.4) — refund liability not currently reserved.”
◆ P2 Management board deck affirmatively misstates CoC/termination exposure on largest customer ▶
Source: Northwind Logistics | Agent: commercial
The Q1 2026 board deck (Slide 8) represents that 'No customer-termination, change-of-control, or contract-portability items are flagged in this excerpt' and characterizes top-account concentration as 'manageable' and 'well-mitigated by contract duration.' This directly contradicts the executed Meridian MSA §12.3 (immediate, sole-discretion CoC termination on 30.1% of ARR) and the Harbor MSA §10.4 (30-day TfC on 16.5% of ARR) — and the company's own cap-table summary §5.3 expressly cross-references the Meridian CoC trigger. The board deck is internal DD-output/reference material, but the gap between the management narrative ('high-switching-cost,' 'no material near-term revenue risk') and the contract terms is itself a diligence red flag bearing on the reliability of management representations. Buyer should reconcile the management view against the contracts and seek reps/warranties coverage.
Confidence: high
Northwind_Logistics/board_deck_excerpt.pdf.md (Slide 8 Key Risks & Watch Items)“*No customer-termination, change-of-control, or contract-portability items are flagged in this excerpt.*”
Northwind_Logistics/board_deck_excerpt.pdf.md (Slide 6 Customer Concentration: Management View)“with the two largest accounts (Meridian and Cobalt, together 53.4% of ARR) under multi-year terms extending into 2027, **the concentration profile is well-mitigated by contract duration** and presents no material near-term revenue risk.”
Northwind_Logistics/cap_table_summary.pdf.md (Section 5.3 Cross-Reference Customer Agreements)“the **Meridian Freight Corporation Master Services Agreement, §12.3 (Change of Control)**, grants the customer rights upon a Change of Control of Provider as defined in §5.1 above. The consummation of the Transaction is expected to constitute a Change of Control for purposes of, and may trigger rights under, such customer agreements.”
◆ P2 Granite Manufacturing (10.9% of ARR) does NOT auto-renew; requires affirmative mutual written renewal 30 days before Feb ▶
Source: Northwind Logistics | Agent: commercial
Unlike the other enterprise contracts, the Granite Manufacturing MSA §2.2 does not auto-renew: it renews only upon mutual written agreement executed at least 30 days before the then-current expiration, and §9.3 bars termination for convenience during the initial term. The two-year initial term expires February 28, 2027. Granite is $4,500,000 / 10.9% of ARR. The affirmative-renewal mechanic creates renewal/churn risk on >10% of ARR roughly 9 months post the expected Q3 2026 close — there is no contractual continuation absent a fresh negotiation, and no renewal evidence is in the data room. Granite's CoC clause (§10.2) requires consent (not to be unreasonably withheld) for assignment and provides no termination right on CoC, so the renewal mechanic is the principal commercial risk here.
Confidence: high
Northwind_Logistics/msa_granite_manufacturing.pdf.md (Section 2.2 Renewal)“this Agreement shall renew for successive one (1) year periods ... only upon the mutual written agreement of the Parties executed not less than thirty (30) days prior to the then-current expiration date. For the avoidance of doubt, this Agreement does not auto-renew absent such written agreement.”
Northwind_Logistics/msa_granite_manufacturing.pdf.md (Section 2.1 Initial Term)“continue for a period of **two (2) years**, expiring on **February 28, 2027** (the "**Initial Term**")”
○ P3 Cobalt order form auto-renews 12-month terms with capped 5% uplift; 90-day non-renewal notice ▶
Source: Northwind Logistics | Agent: commercial
The Cobalt order form (incorporating MSA §11.2) auto-renews for successive 12-month terms unless 90 days' written non-renewal notice, with renewal fees capped at a 5% uplift over the current annual fee, and a firm price-hold (no mid-term escalation) for the 36-month initial term. Standard, customer-favorable-but-routine renewal mechanics on a prepaid account through 2027-12-31; informational. Note the underlying governing MSA itself is missing (see P1 finding/gap).
Confidence: high
Northwind_Logistics/order_form_cobalt_retail.pdf.md (Section 5.2 Renewal)“automatically renew for successive twelve (12) month renewal terms (each, a "Renewal Term") unless either party provides written notice of non-renewal to the other party **at least ninety (90) days prior to the end of the then-current term**. Fees for any Renewal Term shall be the then-current Initial Term annual fee plus an uplift not to exceed five percent (5%)”
change_of_control (2 findings, P0:1, P3:1)▶
Northwind Logistics
▲ P0 Meridian Freight (30.1% of ARR) holds unconditional immediate termination right triggered by Summit's acquisition, no cu ▶
Source: Northwind Logistics | Agent: commercial
The Meridian Freight MSA §12.3 grants the customer a unilateral right to terminate effective immediately upon a Change of Control of Northwind, exercisable in Meridian's 'sole and absolute discretion,' not conditioned on any breach, not subject to any cure or wind-down period, within 60 days of the closing/notice. The cap table summary §5.2 confirms that Summit's acquisition of >50% equity 'constitutes a Change of Control' under the very definition keyed to MSA §12.3. Meridian is the single largest customer at $12,400,000 / 30.1% of total ARR (well above the 20% deal-stopper threshold). Upon such termination Northwind must refund prepaid fees pro-rata and is owed no transition/continuation revenue. This is the precise pattern of a >20%-revenue customer with a no-cure termination right activated by the transaction itself. A reasonable acquirer would require a customer consent/standstill or reaffirmation as a closing condition, an indemnity/escrow, or a purchase-price adjustment. Note: the management board deck (Slide 8) affirmatively represents that 'No customer-termination, change-of-control, or contract-portability items are flagged,' which is contradicted by this clause (see separate finding).
Confidence: high
Northwind_Logistics/msa_meridian_freight.pdf.md (Section 12.3(c)-(d) Change of Control of Provider)“in the event of a Change of Control of Provider, Customer may terminate this Agreement, effective immediately, by delivering written notice of such election to Provider (or its successor) at any time within sixty (60) days following the later of (i) the closing of the Change of Control or (ii) Customer's receipt of the notice required under Section 12.3(b). Such termination shall be automatic and effective upon Customer's written election, and shall not require the consent of Provider or its successor, nor shall it be subject to any cure period, transition period, or wind-down obligation.”
Northwind_Logistics/msa_meridian_freight.pdf.md (Section 12.3(d))“Customer's termination right under this Section 12.3 is exercisable in Customer's sole and absolute discretion, is not conditioned on any breach or change in service, and is not subject to any limitation, cap, or carve-out. Upon such termination, Customer shall have no obligation to pay any fees for periods following the effective date of termination, Provider shall refund any prepaid fees on a pro-rata basis for the unused portion of the then-current annual period”
Northwind_Logistics/cap_table_summary.pdf.md (Section 5.2-5.3 Change of Control)“The proposed acquisition by Summit Industrial Group, LLC of more than fifty percent (50%) of the Company's outstanding equity (and/or substantially all of its assets) **constitutes a Change of Control** under the foregoing definition.”
Northwind_Logistics/arr_schedule.xlsx.md (Sheet 2.1 ARR by Customer, Row 1)“| 1 | Meridian Freight Corporation | Enterprise / 3PL | $12,400,000 | 30.1% | Annual, in advance | 2027-12-31 |”
○ P3 Granite MSA permits customer to withhold consent to CoC assignment if acquirer is a 'direct competitor' ▶
Source: Northwind Logistics | Agent: commercial
The Granite MSA §10.2 allows assignment to the acquiring/surviving entity on a CoC only with the other party's prior written consent, not to be unreasonably withheld, but expressly deems it reasonable to withhold consent where the acquirer 'is a direct competitor' of the customer or cannot demonstrate financial/operational capacity. Summit Industrial Group operates fleet/logistics operations (per the acquirer overview), so there is a residual risk Granite could argue Summit is a competitor and withhold consent on 10.9% of ARR. A CoC does not by itself give a termination right under this MSA, so this is a consent/assignment risk (P2), not a termination right. Buyer should confirm Granite consent and that Summit is not deemed a 'direct competitor.'
Confidence: medium
Northwind_Logistics/msa_granite_manufacturing.pdf.md (Section 10.2 Change of Control)“it shall be deemed reasonable for the non-assigning Party to withhold consent only where the acquiring or surviving entity is a direct competitor of such non-assigning Party or is unable to demonstrate the financial and operational capacity to perform the obligations under this Agreement. **A Change of Control shall not, by itself, give either Party any right to terminate this Agreement.**”
undisclosed_material_contract (1 findings, P1:1)▶
Northwind Logistics
● P1 Cobalt Retail (23.3% of ARR, $28.8M prepaid) governed by an MSA dated Dec 18 2024 that is absent from the data room ▶
Source: Northwind Logistics | Agent: commercial
The Cobalt Retail order form (NW-OF-2025-0007) is expressly governed by and incorporates by reference a 'Master Services Agreement between Provider and Customer dated December 18, 2024' that does not appear anywhere in the data room — only the order form is present. Cobalt is the second-largest customer at $9,600,000 / 23.3% of ARR with a $28,800,000 prepaid 36-month TCV (cash-collected in full Jan 2025). Because the governing MSA is missing, the change-of-control, termination, SLA, liability, indemnity, and refund terms applicable to nearly a quarter of ARR cannot be assessed. The order form selectively reproduces only renewal/termination-for-cause/governing-law clauses and is silent on CoC. Given Meridian's MSA contains a severe CoC termination right, the un-reviewed Cobalt MSA represents material undisclosed CoC/refund exposure on a fully-prepaid account. Buyer must obtain the executed Cobalt MSA before close. (Also recorded as a gap.)
Confidence: high
Northwind_Logistics/order_form_cobalt_retail.pdf.md (Header / MSA Reference)“**MSA Reference:** Master Services Agreement between Provider and Customer dated December 18, 2024 ("MSA")”
Northwind_Logistics/order_form_cobalt_retail.pdf.md (Section 4.5 Invoice and Collection)“Invoice No. NW-INV-2025-0021 in the amount of **$28,800,000** was issued on January 15, 2025 and **paid and cash-collected in full on January 15, 2025**.”
Northwind_Logistics/arr_schedule.xlsx.md (Sheet 2.1 ARR by Customer, Row 2)“| 2 | Cobalt Retail Group | Enterprise / Shipper | $9,600,000 | 23.3% | 36-mo prepaid (collected 2025-01-15) | 2027-12-31 |”
Customer Concentration (1 findings, P2:1)▶
Northwind Logistics
◆ P2 High customer concentration: top-1 30.1%, top-3 69.9%, top-5 88.3% of ARR ▶
Source: Northwind Logistics | Agent: commercial
The ARR schedule reports top-1 customer concentration at 30.1% (Meridian), top-3 at 69.9% (Meridian + Cobalt + Granite [sic: Harbor]), and top-5 at 88.3%, against an internal 30% concentration threshold that the top-1 account meets/exceeds. The long-tail is only 11.7% across 47 SMB accounts. This limited revenue diversification amplifies the impact of the contract-level termination/renewal risks flagged for Meridian (P0 CoC) and Harbor (P1 TfC): a material share of ARR is concentrated in a small number of accounts that individually hold exit rights. Concentration sits just below the >40%-single-customer / >70%-top-3 deal-killer thresholds, so it is a material valuation/durability concern (P2) rather than a standalone deal-stopper. Defer ARR-quality and revenue-recognition durability analysis to the Finance agent.
Confidence: high
Northwind_Logistics/arr_schedule.xlsx.md (Sheet 1.1 Headline Metrics & Sheet 2.3 Concentration Analysis)“| Top-1 customer concentration | **30.1%** |
| Top-3 customer concentration | **69.9%** |
| Top-5 customer concentration | 88.3% |”
Northwind_Logistics/arr_schedule.xlsx.md (Sheet 2.3 FP&A note (concentration))“Top-1 customer concentration of 30.1% sits at/above the 30% internal concentration threshold. Top-3 of 69.9% indicates limited revenue diversification across the enterprise book.”
sla_compliance (1 findings, P3:1)▶
Northwind Logistics
○ P3 Differing SLA uptime commitments and capped service-credit exposure across enterprise contracts ▶
Source: Northwind Logistics | Agent: commercial
Uptime commitments and service-credit remedies vary by customer: Meridian 99.9% with credits up to 10% of monthly fee (Exhibit B); Cobalt 99.9% (order form 2.5); Harbor 99.5% with 5% per 0.5% shortfall capped at 25% of monthly fee; Granite 99.5% with 5% per 0.5% capped at 25% per quarter. In each MSA service credits are the customer's sole and exclusive remedy, capping financial downside. These are standard SaaS SLA terms with bounded exposure; noted for completeness and integration planning. No SLA breach history or uptime evidence is in the data room (see gap).
Confidence: high
Northwind_Logistics/msa_meridian_freight.pdf.md (Exhibit B Service Level Addendum & Section 2.3)“Service credits, where applicable, shall be Customer's sole and exclusive remedy for any failure to meet the committed uptime.”
Northwind_Logistics/msa_harbor_foods.pdf.md (Exhibit A Service Level Agreement (Summary))“| Service Credit | 5% of monthly fee per 0.5% below 99.5%, capped at 25% |”
Product & Tech (3 findings)
Medium ▶| Category | Findings | Severity Mix | Top Entity |
|---|---|---|---|
| Security | 1 | P1:1 | Northwind Logistics |
| data_privacy | 1 | P2:1 | Northwind Logistics |
| support_obligations | 1 | P2:1 | Northwind Logistics |
Security (1 findings, P1:1)▶
Northwind Logistics
● P1 Unlawful US transfer of EU driver telemetry to unauthorized sub-processor (TelemetryWorks) with no DPA, no SCCs, no tran ▶
Source: Northwind Logistics | Agent: producttech
Northwind's own Sub-Processor Register (2026-Q1, status OPEN) discloses that the platform streams real-time driver location/GPS telemetry and trip metadata for the EU customer Tidewater (Belgian drivers) to TelemetryWorks Inc., hosted in Portland, Oregon, USA. Per the register this engagement has (a) NO Article 28 DPA on file, (b) NO EU Standard Contractual Clauses or other Article 46 transfer mechanism, and (c) is NOT listed in the Tidewater DPA Annex 2 of approved sub-processors. This is an active, ongoing transfer of EU personal data to a third country with no lawful transfer basis — a direct breach of Tidewater DPA Section 5 (Sub-Processing) and Section 6 (International Transfers), and of GDPR Chapter V. It also contradicts the DPA's own Annex 3 representation that no sub-processor is located outside the EEA. The data subjects are limited to the Tidewater tenant (~7.5% of ARR), the company has logged the gap for remediation (SCCs/DPA not started), and the exposure is remediable pre-close — hence P1 rather than P0 — but it warrants a specific GDPR-liability indemnity/escrow and confirmed remediation as a condition. The root cause is a process failure: TelemetryWorks was onboarded by Platform Engineering in 2025 outside the DPO sub-processor-approval workflow.
Confidence: high
Northwind_Logistics/subprocessor_register.pdf.md (Section 3, Inventory Row 3 (TelemetryWorks Inc.), Contract/SCC Status column)“SCCs: none on file. No DPA executed with Northwind covering EU data. No adequacy basis. Transfer mechanism: NONE.”
Northwind_Logistics/subprocessor_register.pdf.md (Section 4.1 — Flagged Gap (Row 3))“Northwind's platform streams real-time driver location/GPS telemetry and trip metadata for Tidewater's fleet to **TelemetryWorks Inc.**, a sub-processor hosted in Portland, Oregon, USA.”
Northwind_Logistics/dpa_tidewater.pdf.md (Annex 3 — Standard Contractual Clauses)“Status as of the Effective Date: **No SCCs executed** (no Annex-2 Sub-processor located outside the EEA / an adequate country).”
Northwind_Logistics/dpa_tidewater.pdf.md (Section 5.3 (Sub-Processing))“the Processor shall ensure that such transfer is covered by the Standard Contractual Clauses or another valid transfer mechanism under Chapter V GDPR, and shall list such Sub-processor in Annex 2 together with the applicable transfer safeguard.”
data_privacy (1 findings, P2:1)▶
Northwind Logistics
◆ P2 Tidewater DPA Annex 2 sub-processor list does not reconcile with the 2026-Q1 Sub-Processor Register (different entities ▶
Source: Northwind Logistics | Agent: producttech
The two authoritative GDPR governance documents for the same EU tenant do not reconcile. The Tidewater DPA Annex 2 (last updated 14 Jan 2025) lists approved sub-processors as Aurora Cloud Hosting GmbH (Frankfurt), Helvetia Mail Relay AG (Zurich), Brussels Support Partners BV (Antwerpen), and a Northwind EEA branch. The 2026-Q1 Sub-Processor Register instead names CloudHarbor EU GmbH (Frankfurt), MessageRoute SAS (Paris), LedgerPay Ltd (Dublin), HelpDeskNow Inc (Virginia), ArchiveVault EU (Amsterdam), and TelemetryWorks (Portland) — entirely different entity names — yet the register marks several as 'Listed in Tidewater DPA Annex 2.' Additionally, the DPA document is dated and signed 1 March 2025, while the register states the 'Tidewater DPA executed 2024-09-12.' These inconsistencies undermine the reliability of the sub-processor inventory used to verify GDPR Article 28/30 compliance and should be reconciled before relying on either list. Flagged as a data-integrity/compliance concern for post-close remediation; cite both documents.
Confidence: medium
Northwind_Logistics/dpa_tidewater.pdf.md (Annex 2 — Approved Sub-Processors (Last updated 14 January 2025))“| 1 | Aurora Cloud Hosting GmbH | Frankfurt, Germany (EEA) | Primary infrastructure hosting (compute, storage, database) | N/A — within EEA |”
Northwind_Logistics/subprocessor_register.pdf.md (Section 3, Inventory Row 1)“| 1 | **CloudHarbor EU GmbH** | Primary cloud infrastructure / application hosting | Driver identity & contact data, consignee contact data, shipment records | Frankfurt, Germany (EEA) | Yes | **Listed** | DPA executed 2024-08-01; intra-EEA, no transfer mechanism required |”
Northwind_Logistics/subprocessor_register.pdf.md (Section 2 — Key Customer Data Context)“The Tidewater Master Services Agreement incorporates a Data Processing Agreement ("**Tidewater DPA**") executed 2024-09-12.”
support_obligations (1 findings, P2:1)▶
Northwind Logistics
◆ P2 Aggressive SLA commitments (99.9% uptime, 1-hour critical response) unverifiable — no architecture, capacity, or uptime- ▶
Source: Northwind Logistics | Agent: producttech
The two largest customer contracts impose demanding service-level commitments: Meridian Freight (30.1% of ARR) requires 99.9% monthly uptime with a 1-hour critical incident response and Premier 24x7 support; Cobalt Retail (23.3% of ARR) requires a 99.9% uptime SLA with 24x5 support. Harbor Foods and Granite require 99.5% with 1-hour / 2-business-hour Severity-1 response. No architecture documentation, capacity plan, uptime/availability history, SOC 2 report, or operational runbook is present in the data room to substantiate that Northwind can technically meet these contractual commitments, and the contracts make service credits the customer's 'sole and exclusive remedy.' Feasibility is therefore unverified — a moderate post-close technical-diligence item; the underlying contractual SLA text is cited, but the supporting operational evidence is absent (see related gaps).
Confidence: medium
Northwind_Logistics/msa_meridian_freight.pdf.md (Exhibit B — Service Level Addendum (Summary))“| Critical Incident Response | 1 hour |”
Northwind_Logistics/msa_meridian_freight.pdf.md (Section 2.3 (Service Levels))“Provider shall use commercially reasonable efforts to make the Platform available with a monthly uptime of at least 99.9%, measured in accordance with the Service Level Addendum attached as **Exhibit B**. Service credits, where applicable, shall be Customer's sole and exclusive remedy for any failure to meet the committed uptime.”
Northwind_Logistics/order_form_cobalt_retail.pdf.md (Section 2, Item 2.5)“Standard Support (24×5) and 99.9% uptime SLA per MSA Exhibit B | Included”
Cybersecurity (4 findings)
Medium ▶| Category | Findings | Severity Mix | Top Entity |
|---|---|---|---|
| security governance | 2 | P2:1, P3:1 | Northwind Logistics |
| third party risk | 1 | P1:1 | Northwind Logistics |
| encryption standards | 1 | P3:1 | Northwind Logistics |
security governance (2 findings, P2:1, P3:1)▶
Northwind Logistics
◆ P2 Critical sub-processor onboarded outside DPO security-review/approval workflow ▶
Source: Northwind Logistics | Agent: cybersecurity
The Sub-Processor Register records that TelemetryWorks was onboarded by Platform Engineering in 2025 without routing through the DPO sub-processor-approval workflow, which is why it was absent from prior register revisions and the customer DPA Annex 2. This indicates a control weakness in third-party/vendor security governance: engineering teams can stand up production data flows to new vendors (including cross-border PII transfers) without DPO/security review. The remediation tracker shows all corrective items ('Not started' / 'Under discussion'), indicating the governance process has not yet been hardened. Post-close remediation item: enforce mandatory security/DPO review gating for all new sub-processors.
Confidence: high
Northwind_Logistics/subprocessor_register.pdf.md (Section 4.4 — Internal note)“TelemetryWorks was onboarded by the Platform Engineering team in 2025 to improve route-ETA accuracy; the engagement was not routed through the DPO sub-processor-approval workflow, which is why it is absent from both this register's prior revisions and the Tidewater DPA Annex 2.”
Northwind_Logistics/subprocessor_register.pdf.md (Section 5 — Remediation Tracking)“Execute SCCs (EU 2021 modules, controller-to-processor) with TelemetryWorks | DPO / Legal | TBD | Not started”
○ P3 Customer MSAs commit only to 'commercially reasonable' safeguards with no named standard ▶
Source: Northwind Logistics | Agent: cybersecurity
The Harbor Foods, Meridian Freight, and Granite Manufacturing MSAs each obligate Northwind only to 'commercially reasonable' administrative, physical, and technical safeguards 'consistent with industry standards', with no reference to a specific framework (SOC 2, ISO 27001) or defined controls. For an enterprise SaaS handling logistics/PII at $41.2M ARR, the absence of a contractually-named security standard is a routine but notable gap that enterprise acquirers/customers typically expect to be backed by SOC 2 Type II. Informational; relevant to enterprise-customer retention and upsell.
Confidence: high
Northwind_Logistics/msa_harbor_foods.pdf.md (Section 5.2 (Data and Security))“Provider shall maintain commercially reasonable administrative, physical, and technical safeguards designed to protect the security and confidentiality of Customer Data, consistent with industry standards for SaaS providers.”
third party risk (1 findings, P1:1)▶
Northwind Logistics
● P1 Unlawful cross-border transfer of EU driver personal data to unapproved US sub-processor (TelemetryWorks) ▶
Source: Northwind Logistics | Agent: cybersecurity
Northwind's own Sub-Processor Register (maintained by its Data Protection & Security Office, as of 31 March 2026) discloses an OPEN, unresolved compliance gap: it streams real-time EU (Belgian) driver location/GPS telemetry and identifiers for the Tidewater tenant to TelemetryWorks Inc., hosted in Portland, Oregon, USA. There is (a) no DPA Annex 2 listing/approval for this sub-processor, (b) no EU Standard Contractual Clauses or other Chapter V transfer mechanism on file for the EEA-to-US transfer, and (c) no executed Article 28 DPA between Northwind and TelemetryWorks covering EU personal data. The Tidewater DPA at Section 5.3 expressly requires SCCs or another valid Chapter V mechanism for any non-EEA sub-processor, and Section 5.1 requires 30 days' prior notice/opportunity to object. This is an unremediated processing-without-lawful-transfer-basis exposure affecting all active Tidewater fleet drivers, creating GDPR liability (Northwind remains fully liable for sub-processor obligations under DPA 5.4), potential customer termination/claims, and regulatory enforcement risk. Calibrated P1 (material, requires pre-close remediation/indemnity/escrow) rather than P0 because the data flow is documented, scoped, and remediable, and involves one ~7.5%-of-ARR customer rather than a confirmed third-party breach of the records.
Confidence: high
Northwind_Logistics/subprocessor_register.pdf.md (Section 3, Row 3 (TelemetryWorks Inc.) — Contract/SCC Status)“SCCs: none on file. No DPA executed with Northwind covering EU data. No adequacy basis. Transfer mechanism: NONE.”
Northwind_Logistics/subprocessor_register.pdf.md (Section 4.2 — The compliance gaps)“The telemetry data is personal data of EU data subjects (Belgian drivers) transferred from the EEA to the United States. **No EU Standard Contractual Clauses (SCCs) are on file**, no EU–US Data Privacy Framework certification has been verified for TelemetryWorks, and no other Article 46 transfer mechanism is in place. The US transfer currently has **no lawful transfer basis** documented.”
Northwind_Logistics/dpa_tidewater.pdf.md (Section 5.3 (Sub-Processing))“Where any Sub-processor is established in, or Processes EU Personal Data from, a country outside the European Economic Area that has not been the subject of an adequacy decision, the Processor shall ensure that such transfer is covered by the Standard Contractual Clauses or another valid transfer mechanism under Chapter V GDPR, and shall list such Sub-processor in Annex 2 together with the applicable transfer safeguard.”
encryption standards (1 findings, P3:1)▶
Northwind Logistics
○ P3 Documented contractual security controls (TOMs) exist only via single-customer DPA, not enterprise-wide certification ▶
Source: Northwind Logistics | Agent: cybersecurity
The strongest security-control evidence in the data room is the technical and organizational measures schedule in the Tidewater DPA Annex 1 (encryption in transit TLS 1.2+ and at rest AES-256, RBAC with quarterly access reviews, MFA for all admin/production access, network segregation, IDS, annual third-party pentest, documented IRP/BCP). These are positive commitments but are contractual representations made to one EU customer, not independently verified by a SOC 2 / ISO 27001 certificate, audit report, or pentest report in the data room. Treat as the security baseline to validate during confirmatory diligence, not as proof of implemented controls.
Confidence: high
Northwind_Logistics/dpa_tidewater.pdf.md (Annex 1 — Technical and Organizational Measures (Art. 32))“1. Encryption of EU Personal Data in transit (TLS 1.2+) and at rest (AES-256).
2. Role-based access control with least-privilege provisioning and quarterly access reviews.
3. Multi-factor authentication for all administrative and production access.”
HR / People (5 findings)
Low ▶| Category | Findings | Severity Mix | Top Entity |
|---|---|---|---|
| key talent retention | 3 | P2:2, P3:1 | Northwind Logistics |
| workforce classification | 1 | P2:1 | Northwind Logistics |
| compensation analysis | 1 | P3:1 | Northwind Logistics |
key talent retention (3 findings, P2:2, P3:1)▶
Northwind Logistics
◆ P2 Key-person dependency: single contractor built core Route Optimization Engine with no post-delivery retention or non-com ▶
Source: Northwind Logistics | Agent: hr
The Route Optimization Engine — characterized as a 'core differentiating feature' powering 'high-volume enterprise deployments, including Company's largest enterprise customer accounts' — was designed and built by a single external contractor (Signatory C) who must personally perform the work. The engagement is project-scoped and terminable for convenience on 15 days' notice, with no ongoing employment relationship, no non-compete/non-solicit, and no stay/retention mechanism binding the contractor post-close. This creates a single-point-of-failure for maintenance, defect remediation, and roadmap continuity of a differentiating module, plus a flight risk that the contractor could build a competing engine. Retention/organizational-health angle distinct from the IP-ownership gap.
Confidence: high
Northwind_Logistics/contractor_agreement_route_engine.pdf.md (Exhibit A, §1 Background and Objective)“The Engine is intended to power high-volume enterprise deployments, including Company's largest enterprise customer accounts.”
Northwind_Logistics/contractor_agreement_route_engine.pdf.md (§2.2 Termination for Convenience)“Either Party may terminate this Agreement upon fifteen (15) days' prior written notice to the other Party.”
◆ P2 Standard employee agreement contains no non-compete or non-solicit; at-will employment creates post-close flight risk ▶
Source: Northwind Logistics | Agent: hr
The company's standard Employee Proprietary Information and Inventions Assignment Agreement (Rev. 2024.2, applicable to all regular employees) addresses confidentiality and IP assignment but contains NO non-compete and NO non-solicitation covenant, and confirms employment is strictly at-will. For a software target whose value rests on engineering talent, the absence of restrictive covenants means key engineers and product staff are free to depart (and solicit colleagues/customers) at or after closing with no contractual restraint. Combined with the absence of individual executive/founder retention agreements in the data room (see gap), this elevates talent-retention risk for the acquirer and argues for retention packages or new restrictive covenants as a pre-close/integration item. Workforce-retention angle; Legal owns covenant enforceability.
Confidence: medium
Northwind_Logistics/employment_ip_agreement.pdf.md (§8.1 At-Will Employment)“Nothing in this Agreement shall confer any right to continued employment; Employee's employment with the Company is at-will.”
Northwind_Logistics/employment_ip_agreement.pdf.md (Header / scope)“**Applies to: All regular full-time and part-time employees**”
○ P3 Founder concentration: CEO and co-founder hold 49.54% fully-diluted with no retention terms evidenced in data room ▶
Source: Northwind Logistics | Agent: hr
Signatory A (Founder & CEO) holds 33.03% and Co-Founder Holder Y holds 16.51% fully-diluted (together 49.54%). The CEO is the named signatory and presenter across corporate documents, indicating heavy key-person dependence on the founders. While equity ownership provides some economic alignment through closing, the data room contains no executive employment agreement, no post-close retention/earn-out, and no non-compete for either founder, so continuity of founder leadership after the acquisition is not contractually assured. Flagged as informational pending production of executive agreements (see gap).
Confidence: medium
Northwind_Logistics/cap_table_summary.pdf.md (§3.1 Ownership by Group)“Founders (Signatory A + Co-Founder Holder Y) | 49.54%”
Northwind_Logistics/cap_table_summary.pdf.md (§3 note)“On an as-converted basis the largest single beneficial owner is Signatory A at 33.03%.”
workforce classification (1 findings, P2:1)▶
Northwind Logistics
◆ P2 Worker misclassification risk: sole-proprietor contractor performs core platform development under company direction ▶
Source: Northwind Logistics | Agent: hr
Signatory C is engaged as an independent contractor (1099-NEC) to build the Route Optimization Engine, described as 'a core differentiating feature of the Platform.' Several factors create employee-misclassification exposure under IRS/economic-realities and state ABC tests: the contractor must 'personally perform the Services' and cannot subcontract without consent; Company provides 'systems, repositories, and credentials'; Company directs 'scope, requirements, and acceptance criteria'; and the engagement spans a multi-milestone production build integrated into the company's flagship product. While only one worker is affected (below the >20-worker P2 threshold for volume), the misclassification of a worker building core IP carries back-tax, penalty, and benefits-reclassification risk and compounds the IP-ownership exposure (no present assignment in the contractor agreement). Workforce-impact angle; Legal owns enforceability/IP analysis.
Confidence: medium
Northwind_Logistics/contractor_agreement_route_engine.pdf.md (Exhibit A, §6 Key Personnel)“Contractor (Signatory C) shall personally perform the Services and shall not subcontract any portion of the Services without Company's prior written consent.”
Northwind_Logistics/contractor_agreement_route_engine.pdf.md (§1.3 Manner of Performance)“Contractor shall provide Contractor's own equipment, tools, development environment, and materials, except for such Company systems, repositories, and credentials as Company may elect to provide for integration purposes.”
Northwind_Logistics/contractor_agreement_route_engine.pdf.md (§3.4 No Benefits; Taxes)“Contractor acknowledges that Contractor is not an employee of Company and is not entitled to any employee benefits.”
compensation analysis (1 findings, P3:1)▶
Northwind Logistics
○ P3 Equity compensation pool: 2.15M options granted plus 850K unallocated; vesting/strike detail not in data room ▶
Source: Northwind Logistics | Agent: hr
The cap table shows 2,150,000 granted stock options (9.86% FD) and an 850,000-share unallocated pool (3.90% FD). Option vesting schedules and change-of-control acceleration terms drive employee-retention economics in an acquisition (unvested equity is the primary stay incentive). The summary references 'Exhibit B — Option grant schedule (grant date, strike, vesting)' but that exhibit is not included in the data room, so acceleration triggers and unvested overhang cannot be assessed. Informational; detail requested via gap.
Confidence: high
Northwind_Logistics/cap_table_summary.pdf.md (§2 Authorized & Issued Capital)“| Stock Options (ISO/NSO, granted) | — | 2,150,000 | — |”
Northwind_Logistics/cap_table_summary.pdf.md (§7 Exhibits)“| Exhibit B | Option grant schedule (grant date, strike, vesting) |”
Tax (4 findings)
Low ▶| Category | Findings | Severity Mix | Top Entity |
|---|---|---|---|
| sales use tax | 1 | P2:1 | Northwind Logistics |
| international tax | 1 | P2:1 | Northwind Logistics |
| employee tax | 1 | P3:1 | Northwind Logistics |
| tax provisions | 1 | P3:1 | Northwind Logistics |
sales use tax (1 findings, P2:1)▶
Northwind Logistics
◆ P2 Multi-state sales/use tax nexus exposure on SaaS revenue with no evidence of collection or reserve ▶
Source: Northwind Logistics | Agent: tax
Northwind is a Delaware C-corp headquartered in Columbus, Ohio, generating $41.2M ARR from SaaS subscriptions to customers across multiple U.S. states — Meridian Freight (New Jersey), Cobalt Retail (Delaware), Harbor Foods (Texas), Granite Manufacturing (Ohio), plus 47 long-tail SMB accounts in various jurisdictions. SaaS/cloud software is a taxable service in several of these states (notably Texas, which taxes SaaS as a data-processing service, and Ohio for business use). Every customer contract shifts the economic burden of sales/use tax to the customer and states fees are 'exclusive of taxes,' but the legal incidence to collect and remit sales tax falls on the seller (Northwind). Post-Wayfair economic-nexus thresholds (commonly $100K revenue / 200 transactions) are very likely exceeded in multiple states given contract sizes ($4.5M–$12.4M each). The data room contains no sales-tax registrations, collection records, nexus study, or reserve. If Northwind has not been collecting/remitting SaaS sales tax where due, the target bears historical uncollected-tax liability plus penalties and interest, which transfers to the buyer in a stock acquisition. Calibrated P2: nexus exposure across 5+ states without reserves; quantification requires a nexus study (see gaps).
Confidence: medium
Northwind_Logistics/msa_harbor_foods.pdf.md (Section 3.4 (Taxes))“Fees are exclusive of all sales, use, value-added, and similar taxes, which shall be the responsibility of Customer, excluding taxes based on Provider's net income.”
Northwind_Logistics/msa_meridian_freight.pdf.md (Section 4.5 (Taxes))“Customer is responsible for all sales, use, and similar taxes associated with its purchase of the services, excluding taxes based on Provider's net income.”
Northwind_Logistics/arr_schedule.xlsx.md (Sheet 1 Headline Metrics; Sheet 2 ARR by Customer)“Total active customer logos | 52”
international tax (1 findings, P2:1)▶
Northwind Logistics
◆ P2 Undisclosed German/EEA branch operations create permanent-establishment, VAT and transfer-pricing exposure ▶
Source: Northwind Logistics | Agent: tax
The Tidewater Data Processing Addendum discloses that Northwind operates 'intra-group EEA branch operations' in Frankfurt, Germany, performing 'Platform operations and maintenance,' and that the Processor's primary hosting and processing of EU personal data takes place within the EEA (Frankfurt, Germany region). An operating branch performing platform operations/maintenance in Germany is a strong indicator of a permanent establishment (PE) for German corporate income tax purposes, and may trigger German VAT registration obligations and require arm's-length transfer-pricing support for the intra-group services flowing to/from the U.S. parent. The company is presented throughout the data room solely as a Delaware C-corp subject to U.S. corporate income tax (cap table summary), with no mention of a German entity/branch, German tax filings, VAT registration, or transfer-pricing documentation. Separately, Tidewater is an EU (Belgian) customer billed in EUR ($3.1M, ~7.5% of ARR), raising EU VAT treatment questions (place-of-supply / reverse-charge for B2B digital services) that interact with any German fixed establishment. Undocumented foreign operations of this nature create unreserved corporate-tax, VAT and transfer-pricing exposure plus penalty/interest risk. Calibrated P2 pending confirmation of the branch's substance and filing history (see gaps).
Confidence: medium
Northwind_Logistics/dpa_tidewater.pdf.md (Annex 2 — Approved Sub-Processors, Row 4)“Northwind Logistics Software, Inc. (intra-group EEA branch operations)”
Northwind_Logistics/dpa_tidewater.pdf.md (Section 6.3 (International Transfers))“The Processor's primary hosting and Processing of EU Personal Data shall take place within the European Economic Area (Frankfurt, Germany region) save as expressly set out in Annex 2.”
Northwind_Logistics/dpa_tidewater.pdf.md (Section 2.3)“The annual subscription fee payable by the Controller under the Agreement is USD $3,100,000 (representing approximately 7.5% of the Provider's total annual recurring revenue)”
employee tax (1 findings, P3:1)▶
Northwind Logistics
○ P3 Worker-classification risk on Route Optimization Engine contractor engagement ▶
Source: Northwind Logistics | Agent: tax
Northwind engaged Signatory C as an independent contractor for a $185,000 fixed fee to build the core Route Optimization Engine, with the contractor required to personally perform the services and barred from subcontracting without consent, working with company-provided repositories/credentials, and subject to company direction on scope and acceptance. The agreement places all employment/self-employment tax responsibility on the contractor and provides for IRS Form 1099-NEC reporting. The combination of personal-performance requirement, integration of the deliverable into the company's core platform, and company direction creates a worker-misclassification risk; if the IRS or a state agency were to reclassify the engagement as employment, Northwind could face back employment taxes, withholding, and penalties. Modest dollar magnitude ($185K) and a single identified engagement support a P3, but the buyer should confirm whether other contractors are similarly engaged.
Confidence: medium
Northwind_Logistics/contractor_agreement_route_engine.pdf.md (Section 3.4 (No Benefits; Taxes))“Contractor is solely responsible for all federal, state, and local taxes, including self-employment taxes, arising from amounts paid under this Agreement. Company shall report payments on IRS Form 1099-NEC as required by law.”
Northwind_Logistics/contractor_agreement_route_engine.pdf.md (Exhibit A, Section 6 (Key Personnel))“Contractor (Signatory C) shall personally perform the Services and shall not subcontract any portion of the Services without Company's prior written consent.”
tax provisions (1 findings, P3:1)▶
Northwind Logistics
○ P3 Cobalt $28.8M up-front prepayment creates significant book-tax timing difference / advance-payment income question ▶
Source: Northwind Logistics | Agent: tax
The Cobalt Retail order was invoiced and cash-collected in full ($28,800,000) on January 15, 2025 for a 36-month service period (2025-2027). For U.S. federal tax purposes, advance payments for services received in 2025 are generally includible in taxable income on receipt, subject only to the limited one-year deferral under IRC §451(c) — a treatment that diverges from the book recognition pattern (the FP&A note flags a front-loaded book recognition that itself differs from straight-line). This produces a material book-tax timing difference and a corresponding deferred-tax position that the buyer should confirm was correctly computed and reflected in the tax provision and estimated payments. Revenue-recognition mechanics themselves are Finance's domain; this finding is limited to the tax-accounting/advance-payment dimension. P3 — a provision/timing item to verify, not a standalone liability.
Confidence: medium
Northwind_Logistics/order_form_cobalt_retail.pdf.md (Section 4.5 (Invoice and Collection))“Invoice No. NW-INV-2025-0021 in the amount of $28,800,000 was issued on January 15, 2025 and paid and cash-collected in full on January 15, 2025.”
Northwind_Logistics/arr_schedule.xlsx.md (Sheet 4.1 — FP&A recognition note)“The Cobalt $28.8M / 36-month prepaid arrangement was recognized with a front-loaded Year-1 tranche rather than ratably over the 36-month service period.”
Regulatory (4 findings)
Medium ▶| Category | Findings | Severity Mix | Top Entity |
|---|---|---|---|
| data privacy regulation | 4 | P1:1, P2:2, P3:1 | Northwind Logistics |
data privacy regulation (4 findings, P1:1, P2:2, P3:1)▶
Northwind Logistics
◆ P2 Date discrepancy in Tidewater DPA execution date between DPA and Sub-Processor Register (2025-03-01 vs 2024-09-12) ▶
Source: Northwind Logistics | Agent: regulatory
The Tidewater DPA document states it was executed on 1 March 2025 (Effective Date of the Agreement and signature dates of both parties). However, the Sub-Processor Register §2 states the Tidewater DPA was 'executed 2024-09-12.' These two company-prepared documents disagree on the execution/effective date of the same DPA. This is a documentary inconsistency that should be reconciled to confirm which DPA version governs and that the controlling DPA Annex 2 is the one being measured against. Moderate/administrative severity — likely a drafting error but warrants confirmation given the live sub-processor compliance gap keyed to Annex 2.
Confidence: medium
Northwind_Logistics/dpa_tidewater.pdf.md (Preamble / Section 11.1)“This DPA takes effect on the Effective Date of the Agreement (1 March 2025) and continues for the **two (2) year** initial term of the Agreement”
Northwind_Logistics/subprocessor_register.pdf.md (Section 2)“The Tidewater Master Services Agreement incorporates a Data Processing Agreement ("**Tidewater DPA**") executed 2024-09-12.”
● P1 Unlawful EU-to-US transfer of EU driver telemetry to TelemetryWorks (no SCCs, no DPA, not in Annex 2) — active GDPR Chap ▶
Source: Northwind Logistics | Agent: regulatory
Northwind streams real-time EU (Belgian) driver location/GPS telemetry and trip metadata for the Tidewater tenant to sub-processor TelemetryWorks Inc., hosted in Portland, Oregon, USA. Per the company's own Sub-Processor Register (2026-Q1, status OPEN/unresolved), this transfer has (a) no SCCs on file, (b) no executed Article 28 DPA between Northwind and TelemetryWorks, (c) no EU-US Data Privacy Framework certification verified, and (d) no other Article 46 transfer mechanism — i.e. NO lawful transfer basis under GDPR Chapter V. Separately, TelemetryWorks is NOT listed in Tidewater DPA Annex 2, so Tidewater was never notified of or given the opportunity to object to this sub-processor as required by DPA §5.1, and the DPA's own §5.3/§6.1 require an SCC or valid Chapter V mechanism for any non-EEA, non-adequate sub-processor. The engagement bypassed the DPO sub-processor-approval workflow. This is an active, in-production processing activity affecting EU data subjects and constitutes a GDPR violation exposing Northwind to supervisory-authority enforcement (Art. 83 fines up to 4% of global turnover) and breach-of-contract/termination exposure under the Tidewater DPA. All four remediation items are 'Not started.' Severity P1 (not P0): it is remediable pre-close via SCC/DPA execution, Tidewater notification, and/or re-routing telemetry to EEA, and Tidewater represents only ~7.5% of ARR.
Confidence: high
Northwind_Logistics/subprocessor_register.pdf.md (Section 3, Row 3 (TelemetryWorks Inc.); Section 4 Flagged Gap)“SCCs: none on file. No DPA executed with Northwind covering EU data. No adequacy basis. Transfer mechanism: NONE.”
Northwind_Logistics/subprocessor_register.pdf.md (Section 4.2(b))“The telemetry data is personal data of EU data subjects (Belgian drivers) transferred from the EEA to the United States. **No EU Standard Contractual Clauses (SCCs) are on file**, no EU–US Data Privacy Framework certification has been verified for TelemetryWorks, and no other Article 46 transfer mechanism is in place. The US transfer currently has **no lawful transfer basis** documented.”
Northwind_Logistics/dpa_tidewater.pdf.md (Section 5.3 (Sub-Processing))“Where any Sub-processor is established in, or Processes EU Personal Data from, a country outside the European Economic Area that has not been the subject of an adequacy decision, the Processor shall ensure that such transfer is covered by the Standard Contractual Clauses or another valid transfer mechanism under Chapter V GDPR, and shall list such Sub-processor in Annex 2 together with the applicable transfer safeguard.”
◆ P2 Sub-processor change-notification obligation to EU customer triggered; Tidewater not notified of TelemetryWorks per DPA ▶
Source: Northwind Logistics | Agent: regulatory
The Tidewater DPA §5.1 grants the controller a 30-day advance notice-and-objection right for any new sub-processor. Northwind's own register confirms TelemetryWorks was onboarded by Platform Engineering without routing through the DPO approval workflow and is absent from DPA Annex 2, meaning the contractual notification right was not honored. Beyond the Chapter V transfer issue (separate finding), this is a standalone contractual data-protection process failure that the acquirer should require be cured (Tidewater notification + Annex 2 update) pre- or shortly post-close. Moderate severity: addressable through standard remediation; remediation item is logged but 'Not started.'
Confidence: high
Northwind_Logistics/dpa_tidewater.pdf.md (Section 5.1)“The Processor shall inform the Controller of any intended addition or replacement of a Sub-processor not less than thirty (30) days in advance, thereby giving the Controller the opportunity to object.”
Northwind_Logistics/subprocessor_register.pdf.md (Section 4.4 Internal note)“the engagement was not routed through the DPO sub-processor-approval workflow, which is why it is absent from both this register's prior revisions and the Tidewater DPA Annex 2.”
○ P3 Incidental EU driver data may reach US-based HelpDeskNow tickets; scope limited to admin-contact SCCs ▶
Source: Northwind Logistics | Agent: regulatory
HelpDeskNow Inc. (Virginia, USA) provides support ticketing and is covered by 2021 EU module SCCs for admin-contact data, with 'driver telemetry out of scope.' The register notes 'incidental driver data if pasted into tickets,' which could place EU driver personal data outside the documented SCC scope on an ad hoc basis. Low severity/informational: the primary transfer mechanism exists for the in-scope data; recommend confirming DLP/process controls prevent driver data entering tickets. Noted for completeness.
Confidence: medium
Northwind_Logistics/subprocessor_register.pdf.md (Section 3, Row 5 (HelpDeskNow Inc.))“Northwind customer-admin support contacts; incidental driver data if pasted into tickets”
ESG (1 findings)
Low ▶| Category | Findings | Severity Mix | Top Entity |
|---|---|---|---|
| esg governance | 1 | P3:1 | Northwind Logistics |
esg governance (1 findings, P3:1)▶
Northwind Logistics
○ P3 ESG governance gap: vendor onboarded outside DPO approval control, indicating internal-control weakness ▶
Source: Northwind Logistics | Agent: esg
The sub-processor register discloses that a US-based data-processing vendor (TelemetryWorks Inc.) was onboarded by Platform Engineering without routing through the Data Protection Officer's sub-processor-approval workflow. While the substantive data-privacy/transfer exposure is for the Legal/Regulatory/Cybersecurity specialists, from an ESG-governance ('G') lens this reflects a control-environment weakness: a defined governance workflow was bypassed by an operating team, and the lapse went undetected across prior register revisions. Relevant to assessing board/management oversight maturity and governance controls in the combined entity. Severity kept at P3 because the privacy substance is owned by other domains and the governance lapse is a single, self-disclosed control deviation.
Confidence: high
Northwind_Logistics/subprocessor_register.pdf.md (Section 4.4 Internal note)“TelemetryWorks was onboarded by the Platform Engineering team in 2025 to improve route-ETA accuracy; the engagement was not routed through the DPO sub-processor-approval workflow, which is why it is absent from both this register's prior revisions and the Tidewater DPA Annex 2.”
Due Diligence Report
Summit Industrial Group acquiring Northwind Logistics Software | Deal type: acquisition
Overall Risk: High
Run ID: run_20260606_210024_13c73b
2
Entities
44
Findings
54
Gaps
2
P0
10
P1
17
P2
15
P3
Deal Breakers (2)
▲ P0 Largest customer (Meridian, 30.1% of ARR) holds unconditional immediate CoC termination right triggered by this acquisit +1 similar
Source: Northwind Logistics | Agent: finance
The Meridian Freight MSA (§12.3) grants Customer the right to terminate immediately upon a Change of Control of Provider, in its 'sole and absolute discretion,' with no cure period, no cap, and no carve-out, exercisable within 60 days of closing/notice. The cap_table_summary confirms the Summit acquisition 'constitutes a Change of Control' and 'may trigger rights under' this agreement. Meridian is the single largest customer at $12,400,000 ARR (30.1% of total $41.2M ARR per the ARR schedule). From a finance lens this places 30.1% of ARR at risk of unilateral loss at closing, plus a contractual obligation to refund prepaid fees pro-rata for the unused portion of the then-current annual period. This exceeds the 20%-revenue / no-cure CoC threshold for a deal-stopper and warrants pre-close protection (customer reaffirmation/consent, escrow, or price adjustment). Legal owns the clause analysis; this finding quantifies the revenue-at-risk and refund exposure.
“in the event of a Change of Control of Provider, Customer may terminate this Agreement, effective immediately, by delivering written notice of such election to Provider (or its successor) at any time within sixty (60) days following the later of (i) the closing of the Change of Control or (ii) Customer's receipt of the notice required under Section 12.3(b). Such termination shall be automatic and effective upon Customer's written election, and shall not require the consent of Provider or its successor, nor shall it be subject to any cure period, transition period, or wind-down obligation.”
Key Risks (10)
| Domain | Category | Count | Top Finding | Severity |
|---|---|---|---|---|
| Commercial | undisclosed_material_contract | 1 | Cobalt Retail (23.3% of ARR, $28.8M prepaid) governed by an MSA dated Dec 18 2024 that is absent from the data room | ● P1 |
| Commercial | renewal_terms | 1 | Harbor Foods (16.5% of ARR) holds termination-for-convenience right on 30 days' notice with pro-rata refund; refund liab | ● P1 |
| Cybersecurity | third party risk | 1 | Unlawful cross-border transfer of EU driver personal data to unapproved US sub-processor (TelemetryWorks) | ● P1 |
| Finance | revenue recognition | 1 | Cobalt $28.8M prepaid recognized front-loaded in Year 1 rather than ratably — overstates revenue/ARR quality; possible r | ● P1 |
| Finance | revenue composition | 1 | High customer concentration: Top-1 30.1% and Top-3 69.9% of ARR; durability hinges on three enterprise contracts | ● P1 |
| Legal | ip ownership | 1 | Core Route Optimization Engine built by contractor with NO IP assignment — only a non-exclusive license to Northwind | ● P1 |
| Legal | data privacy | 1 | GDPR violation: EU driver telemetry (Tidewater) transferred to US sub-processor with no SCCs, no DPA, no Annex 2 listing | ● P1 |
| Legal | change of control | 1 | Meridian Freight (30.1% of ARR) holds immediate, no-cure CoC termination right triggered by this acquisition | ● P1 |
| Product & Tech | security_posture | 1 | Unlawful US transfer of EU driver telemetry to unauthorized sub-processor (TelemetryWorks) with no DPA, no SCCs, no tran | ● P1 |
| Regulatory | data privacy regulation | 1 | Unlawful EU-to-US transfer of EU driver telemetry to TelemetryWorks (no SCCs, no DPA, not in Annex 2) — active GDPR Chap | ● P1 |
SaaS Health Metrics
$28.8M
Total ARR
2
Entities
1/2
With Revenue Data
$28.8M
Avg Contract Value
100% of ARR
Top Entity
Entity Tier Distribution
| Tier | Entities | % |
|---|---|---|
| Enterprise | 1 | 50% |
| Mid-Market | 0 | 0% |
| SMB | 0 | 0% |
Net & Gross Revenue Retention
100%
NRR Estimate
90%
GRR Estimate
1
Expansion Signals
1
Contraction Signals
Benchmark Comparison
NRR 100% vs. best-in-class SaaS benchmark of 120%+. GRR 90% vs. median SaaS benchmark of 90%.
Unit Economics & Growth
50%
Logo Retention (Est.)
$288.0M
CLV Estimate
0
Rule of 40 (Est.)
Rule of 40 score is 0 (below threshold)
Rule of 40 = Revenue Growth % + EBITDA Margin %. Score below 20 signals concern. Note: margin data unavailable, score reflects growth only.
Top entity represents 100% of total ARR
Severe concentration risk. Consider earn-out or escrow protections.
P0 Deal Stoppers
2 P0 Deal Stoppers across 1 entities
1 entities have findings at this severity level. Review each entity's primary issue and total finding count below.
| Entity | P0 COUNT | Total Findings | Primary Issue |
|---|---|---|---|
| Northwind Logistics | 2 | 44 | Largest customer (Meridian, 30.1% of ARR) holds unconditional immediate CoC termination right triggered by this acquisit |
P1 Critical Issues
10 P1 Critical Issues across 1 entities
1 entities have findings at this severity level. Review each entity's primary issue and total finding count below.
| Entity | P1 COUNT | Total Findings | Primary Issue |
|---|---|---|---|
| Northwind Logistics | 10 | 44 | Meridian Freight (30.1% of ARR) holds immediate, no-cure CoC termination right triggered by this acquisition |
Change of Control Analysis
1 entities with change-of-control provisions
13 change-of-control findings identified across 1 entities (2 Competitor-Only, 7 Consent-Required, 1 General, 3 Termination-Right). 1 entities may require assignment consent. Initiate customer outreach for consent-dependent contracts.
| Entity | Type | Findings | Severity | Primary Issue |
|---|---|---|---|---|
| Northwind Logistics | Consent-Required | 13 | ▲ P0 | Meridian Freight (30.1% of ARR) holds immediate, no-cure CoC termination right triggered by this acquisition |
Termination for Convenience — Revenue Quality
1 entities with TfC clauses (valuation input)
1 termination-for-convenience findings across 1 entities. TfC revenue is non-committed (at-risk ARR). Model as a valuation/RPO input — this is not a deal-blocker.
| Entity | Notice Period | Revenue Impact | Finding Detail |
|---|---|---|---|
| Northwind Logistics | Termination subtype: Termination for Convenience (TfC), unilateral right held by | See valuation model | Harbor Foods (16.5% of ARR) holds 30-day termination-for-convenience right with pro-rata refund |
Data Privacy & DPA Analysis
10 privacy findings across 1 entities
Data privacy analysis identified 10 findings. Review GDPR/CCPA compliance status and DPA coverage for each entity.
| Entity | Findings | Max Severity | Primary Issue |
|---|---|---|---|
| Northwind Logistics | 10 | ● P1 | GDPR violation: EU driver telemetry (Tidewater) transferred to US sub-processor with no SCCs, no DPA, no Annex 2 listing |
Domain Risk Heatmap
Legal
High
9 findings (P1:3 | P2:3 | P3:3)
Finance
High
5 findings (P0:1 | P1:2 | P2:1 | P3:1)
Commercial
High
9 findings (P0:1 | P1:2 | P2:3 | P3:3)
Product & Tech
Medium
3 findings (P1:1 | P2:2)
Cybersecurity
Medium
4 findings (P1:1 | P2:1 | P3:2)
HR / People
Low
5 findings (P2:3 | P3:2)
Tax
Low
4 findings (P2:2 | P3:2)
Regulatory
Medium
4 findings (P1:1 | P2:2 | P3:1)
ESG
Low
1 findings (P3:1)
Discount & Pricing Analysis
Pricing Findings
| Severity | Entity | Finding |
|---|---|---|
| ● P1 | Northwind Logistics | Meridian Freight (30.1% of ARR) holds immediate, no-cure CoC termination right triggered by this acquisition |
| ◆ P2 | Northwind Logistics | Harbor Foods (16.5% of ARR) holds 30-day termination-for-convenience right with pro-rata refund |
| ▲ P0 | Northwind Logistics | Largest customer (Meridian, 30.1% of ARR) holds unconditional immediate CoC termination right triggered by this acquisit |
| ● P1 | Northwind Logistics | Cobalt $28.8M prepaid recognized front-loaded in Year 1 rather than ratably — overstates revenue/ARR quality; possible r |
| ○ P3 | Northwind Logistics | Cobalt renewal uplift capped at 5%; Cobalt mid-term price held firm — standard pricing terms |
| ▲ P0 | Northwind Logistics | Meridian Freight (30.1% of ARR) holds unconditional immediate termination right triggered by Summit's acquisition, no cu |
| ○ P3 | Northwind Logistics | Cobalt order form auto-renews 12-month terms with capped 5% uplift; 90-day non-renewal notice |
| ◆ P2 | Northwind Logistics | Undisclosed German/EEA branch operations create permanent-establishment, VAT and transfer-pricing exposure |
Renewal & Contract Expiry Analysis
7
Renewal Findings
3
Auto-Renew
0
Manual Renew
2
Escalation Caps
0
Evergreen
Expiry Distribution
| Period | Count |
|---|---|
| 0-6mo | 0 |
| 6-12mo | 1 |
| 12-24mo | 0 |
| >24mo | 0 |
Renewal Findings
| Severity | Entity | Finding |
|---|---|---|
| ● P1 | Northwind Logistics | High customer concentration: Top-1 30.1% and Top-3 69.9% of ARR; durability hinges on three enterprise contracts |
| ● P1 | Northwind Logistics | Harbor Foods (16.5% of ARR) holds termination-for-convenience right on 30 days' notice with pro-rata refund; refund liab |
| ○ P3 | Northwind Logistics | Cobalt renewal uplift capped at 5%; Cobalt mid-term price held firm — standard pricing terms |
| ● P1 | Northwind Logistics | Cobalt Retail (23.3% of ARR, $28.8M prepaid) governed by an MSA dated Dec 18 2024 that is absent from the data room |
| ◆ P2 | Northwind Logistics | High customer concentration: top-1 30.1%, top-3 69.9%, top-5 88.3% of ARR |
| ◆ P2 | Northwind Logistics | Granite Manufacturing (10.9% of ARR) does NOT auto-renew; requires affirmative mutual written renewal 30 days before Feb |
| ○ P3 | Northwind Logistics | Cobalt order form auto-renews 12-month terms with capped 5% uplift; 90-day non-renewal notice |
Regulatory & Compliance Risk Assessment
13
Compliance Findings
10
DPA Issues
100%
DPA Coverage
2
Jurisdiction
7
Regulatory
100
Risk Score (Critical)
10 DPA-related findings identified
Assess GDPR/CCPA compliance posture and remediation costs. Typical DPA remediation: $50K-$500K depending on scope.
Top Jurisdictions
| Jurisdiction | Count |
|---|---|
| Ohio | 3 |
| Delaware | 2 |
| Texas | 2 |
| New Jersey | 1 |
Regulatory Filing Checklist
- GDPR: Data Protection Impact Assessment (DPIA)
Compliance Findings
| Severity | Entity | Finding |
|---|---|---|
| ● P1 | Northwind Logistics | GDPR violation: EU driver telemetry (Tidewater) transferred to US sub-processor with no SCCs, no DPA, no Annex 2 listing |
| ● P1 | Northwind Logistics | Cobalt Retail (23.3% of ARR, $28.8M prepaid) governed by an MSA dated Dec 18 2024 that is absent from the data room |
| ● P1 | Northwind Logistics | Unlawful US transfer of EU driver telemetry to unauthorized sub-processor (TelemetryWorks) with no DPA, no SCCs, no tran |
| ◆ P2 | Northwind Logistics | Tidewater DPA Annex 2 sub-processor list does not reconcile with the 2026-Q1 Sub-Processor Register (different entities |
| ● P1 | Northwind Logistics | Unlawful cross-border transfer of EU driver personal data to unapproved US sub-processor (TelemetryWorks) |
| ◆ P2 | Northwind Logistics | Critical sub-processor onboarded outside DPO security-review/approval workflow |
| ◆ P2 | Northwind Logistics | Date discrepancy in Tidewater DPA execution date between DPA and Sub-Processor Register (2025-03-01 vs 2024-09-12) |
| ○ P3 | Northwind Logistics | Documented contractual security controls (TOMs) exist only via single-customer DPA, not enterprise-wide certification |
| ◆ P2 | Northwind Logistics | Multi-state sales/use tax nexus exposure on SaaS revenue with no evidence of collection or reserve |
| ◆ P2 | Northwind Logistics | Undisclosed German/EEA branch operations create permanent-establishment, VAT and transfer-pricing exposure |
| ● P1 | Northwind Logistics | Unlawful EU-to-US transfer of EU driver telemetry to TelemetryWorks (no SCCs, no DPA, not in Annex 2) — active GDPR Chap |
| ◆ P2 | Northwind Logistics | Sub-processor change-notification obligation to EU customer triggered; Tidewater not notified of TelemetryWorks per DPA |
| ○ P3 | Northwind Logistics | ESG governance gap: vendor onboarded outside DPO approval control, indicating internal-control weakness |
Legal Entity Distribution & Migration Risk
4
Entity Findings
1
Entities Referenced
Referenced Entities
| Entity Name |
|---|
| northwind_logistics |
Entity-Related Findings
| Severity | Entity | Finding |
|---|---|---|
| ◆ P2 | Northwind Logistics | Granite Manufacturing CoC requires counterparty consent to assign (consent not unreasonably withheld); no termination ri |
| ◆ P2 | Northwind Logistics | Critical sub-processor onboarded outside DPO security-review/approval workflow |
| ○ P3 | Northwind Logistics | Customer MSAs commit only to 'commercially reasonable' safeguards with no named standard |
| ○ P3 | Northwind Logistics | ESG governance gap: vendor onboarded outside DPO approval control, indicating internal-control weakness |
Contract Date Timeline & Expiry Calendar
8
Date-Related Findings
7
Date Mentions
2024-09-12
Earliest Expiry
2027-12-31
Latest Expiry
8 contract date/expiry findings
Review for cliff risks and pre-close expiry exposure. 7 specific date mentions found across findings.
Contract Date Findings
| Severity | Entity | Finding |
|---|---|---|
| ● P1 | Northwind Logistics | High customer concentration: Top-1 30.1% and Top-3 69.9% of ARR; durability hinges on three enterprise contracts |
| ● P1 | Northwind Logistics | Harbor Foods (16.5% of ARR) holds termination-for-convenience right on 30 days' notice with pro-rata refund; refund liab |
| ○ P3 | Northwind Logistics | Cobalt renewal uplift capped at 5%; Cobalt mid-term price held firm — standard pricing terms |
| ● P1 | Northwind Logistics | Cobalt Retail (23.3% of ARR, $28.8M prepaid) governed by an MSA dated Dec 18 2024 that is absent from the data room |
| ◆ P2 | Northwind Logistics | High customer concentration: top-1 30.1%, top-3 69.9%, top-5 88.3% of ARR |
| ◆ P2 | Northwind Logistics | Granite Manufacturing (10.9% of ARR) does NOT auto-renew; requires affirmative mutual written renewal 30 days before Feb |
| ○ P3 | Northwind Logistics | Cobalt order form auto-renews 12-month terms with capped 5% uplift; 90-day non-renewal notice |
| ◆ P2 | Northwind Logistics | Date discrepancy in Tidewater DPA execution date between DPA and Sub-Processor Register (2025-03-01 vs 2024-09-12) |
Insurance & Liability Analysis
13
Total Findings
0
Insurance
6
Liability Caps
0
Uncapped
7
Indemnification
Liability Findings
| Entity | Finding | Severity |
|---|---|---|
| Northwind Logistics | Core Route Optimization Engine built by contractor with NO IP assignment — only a non-exclusive license to Northwind | ● P1 |
| Northwind Logistics | GDPR violation: EU driver telemetry (Tidewater) transferred to US sub-processor with no SCCs, no DPA, no Annex 2 listing | ● P1 |
| Northwind Logistics | Harbor Foods (16.5% of ARR) holds 30-day termination-for-convenience right with pro-rata refund | ◆ P2 |
| Northwind Logistics | Standard mutual liability caps (12-month fees) across enterprise MSAs | ○ P3 |
| Northwind Logistics | Harbor Foods (16.5% of ARR) holds termination-for-convenience right on 30 days' notice with pro-rata refund; refund liab | ● P1 |
| Northwind Logistics | Meridian Freight (30.1% of ARR) holds unconditional immediate termination right triggered by Summit's acquisition, no cu | ▲ P0 |
| Northwind Logistics | Cobalt Retail (23.3% of ARR, $28.8M prepaid) governed by an MSA dated Dec 18 2024 that is absent from the data room | ● P1 |
| Northwind Logistics | Management board deck affirmatively misstates CoC/termination exposure on largest customer | ◆ P2 |
| Northwind Logistics | Unlawful US transfer of EU driver telemetry to unauthorized sub-processor (TelemetryWorks) with no DPA, no SCCs, no tran | ● P1 |
| Northwind Logistics | Tidewater DPA Annex 2 sub-processor list does not reconcile with the 2026-Q1 Sub-Processor Register (different entities | ◆ P2 |
| Northwind Logistics | Unlawful cross-border transfer of EU driver personal data to unapproved US sub-processor (TelemetryWorks) | ● P1 |
| Northwind Logistics | Multi-state sales/use tax nexus exposure on SaaS revenue with no evidence of collection or reserve | ◆ P2 |
| Northwind Logistics | Cobalt $28.8M up-front prepayment creates significant book-tax timing difference / advance-payment income question | ○ P3 |
IP & Technology License Risk
6
Total IP Findings
3
Ownership Gaps
0
Open Source
2
License Risks
3 IP ownership gaps identified
3 contracts have unclear IP ownership. Resolve ownership before close to protect core technology assets.
IP & License Findings
| Entity | Finding | Severity |
|---|---|---|
| Northwind Logistics | Core Route Optimization Engine built by contractor with NO IP assignment — only a non-exclusive license to Northwind | ● P1 |
| Northwind Logistics | Standard mutual liability caps (12-month fees) across enterprise MSAs | ○ P3 |
| Northwind Logistics | Employee IP assignment standard form is robust (present assignment + work-for-hire) but applies only to employees | ○ P3 |
| Northwind Logistics | Core route-optimization engine IP not assigned to Company (only non-exclusive license) — valuation/asset-quality risk | ◆ P2 |
| Northwind Logistics | Worker misclassification risk: sole-proprietor contractor performs core platform development under company direction | ◆ P2 |
| Northwind Logistics | Standard employee agreement contains no non-compete or non-solicit; at-will employment creates post-close flight risk | ◆ P2 |
Clause Analysis
Findings classified against standard M&A clause taxonomy with market norm comparisons.
42
Classified Findings
12
Clause Types Found
▶ Change of Control 13
Market Norm: Most enterprise contracts include CoC clauses. Consent-required with 30-60 day cure is standard.
Risk Implications: May trigger consent requirements, termination rights, or automatic termination upon acquisition.
| Entity | Severity | Finding |
|---|---|---|
| Northwind Logistics | ● P1 | Meridian Freight (30.1% of ARR) holds immediate, no-cure CoC termination right triggered by this acquisition |
| Northwind Logistics | ◆ P2 | Granite Manufacturing CoC requires counterparty consent to assign (consent not unreasonably withheld); no termination ri |
| Northwind Logistics | ◆ P2 | Acquisition triggers Series B protective provision requiring investor consent to change of control |
| Northwind Logistics | ○ P3 | Harbor Foods MSA permits assignment in M&A without consent; CoC gives no termination right (favorable) |
| Northwind Logistics | ▲ P0 | Largest customer (Meridian, 30.1% of ARR) holds unconditional immediate CoC termination right triggered by this acquisit |
| Northwind Logistics | ● P1 | High customer concentration: Top-1 30.1% and Top-3 69.9% of ARR; durability hinges on three enterprise contracts |
| Northwind Logistics | ● P1 | Harbor Foods (16.5% of ARR) holds termination-for-convenience right on 30 days' notice with pro-rata refund; refund liab |
| Northwind Logistics | ▲ P0 | Meridian Freight (30.1% of ARR) holds unconditional immediate termination right triggered by Summit's acquisition, no cu |
| Northwind Logistics | ● P1 | Cobalt Retail (23.3% of ARR, $28.8M prepaid) governed by an MSA dated Dec 18 2024 that is absent from the data room |
| Northwind Logistics | ◆ P2 | High customer concentration: top-1 30.1%, top-3 69.9%, top-5 88.3% of ARR |
| Northwind Logistics | ◆ P2 | Management board deck affirmatively misstates CoC/termination exposure on largest customer |
| Northwind Logistics | ◆ P2 | Granite Manufacturing (10.9% of ARR) does NOT auto-renew; requires affirmative mutual written renewal 30 days before Feb |
| Northwind Logistics | ○ P3 | Granite MSA permits customer to withhold consent to CoC assignment if acquirer is a 'direct competitor' |
▶ Data Privacy & DPA 12
Market Norm: DPA required for all EU personal data processing. SCCs or adequacy decisions for cross-border transfers.
Risk Implications: Missing or inadequate DPAs create regulatory exposure. Cross-border transfer issues affect operations.
| Entity | Severity | Finding |
|---|---|---|
| Northwind Logistics | ● P1 | GDPR violation: EU driver telemetry (Tidewater) transferred to US sub-processor with no SCCs, no DPA, no Annex 2 listing |
| Northwind Logistics | ● P1 | Unlawful US transfer of EU driver telemetry to unauthorized sub-processor (TelemetryWorks) with no DPA, no SCCs, no tran |
| Northwind Logistics | ◆ P2 | Tidewater DPA Annex 2 sub-processor list does not reconcile with the 2026-Q1 Sub-Processor Register (different entities |
| Northwind Logistics | ● P1 | Unlawful cross-border transfer of EU driver personal data to unapproved US sub-processor (TelemetryWorks) |
| Northwind Logistics | ◆ P2 | Critical sub-processor onboarded outside DPO security-review/approval workflow |
| Northwind Logistics | ◆ P2 | Date discrepancy in Tidewater DPA execution date between DPA and Sub-Processor Register (2025-03-01 vs 2024-09-12) |
| Northwind Logistics | ○ P3 | Documented contractual security controls (TOMs) exist only via single-customer DPA, not enterprise-wide certification |
| Northwind Logistics | ◆ P2 | Undisclosed German/EEA branch operations create permanent-establishment, VAT and transfer-pricing exposure |
| Northwind Logistics | ● P1 | Unlawful EU-to-US transfer of EU driver telemetry to TelemetryWorks (no SCCs, no DPA, not in Annex 2) — active GDPR Chap |
| Northwind Logistics | ◆ P2 | Sub-processor change-notification obligation to EU customer triggered; Tidewater not notified of TelemetryWorks per DPA |
| Northwind Logistics | ○ P3 | Incidental EU driver data may reach US-based HelpDeskNow tickets; scope limited to admin-contact SCCs |
| Northwind Logistics | ○ P3 | ESG governance gap: vendor onboarded outside DPO approval control, indicating internal-control weakness |
▶ Anti-Assignment 4
Market Norm: Most contracts restrict assignment without consent but include carve-outs for affiliates or mergers.
Risk Implications: May block assignment of contracts to acquirer post-close without counterparty consent.
| Entity | Severity | Finding |
|---|---|---|
| Northwind Logistics | ○ P3 | Employee IP assignment standard form is robust (present assignment + work-for-hire) but applies only to employees |
| Northwind Logistics | ◆ P2 | Core route-optimization engine IP not assigned to Company (only non-exclusive license) — valuation/asset-quality risk |
| Northwind Logistics | ◆ P2 | Worker misclassification risk: sole-proprietor contractor performs core platform development under company direction |
| Northwind Logistics | ◆ P2 | Standard employee agreement contains no non-compete or non-solicit; at-will employment creates post-close flight risk |
▶ Exclusivity 3
Market Norm: Exclusivity is uncommon in SaaS. Should be time-limited and narrowly scoped.
Risk Implications: Grants exclusive rights within a scope, limiting ability to serve competing customers.
| Entity | Severity | Finding |
|---|---|---|
| Northwind Logistics | ○ P3 | Differing SLA uptime commitments and capped service-credit exposure across enterprise contracts |
| Northwind Logistics | ◆ P2 | Aggressive SLA commitments (99.9% uptime, 1-hour critical response) unverifiable — no architecture, capacity, or uptime- |
| Northwind Logistics | ◆ P2 | Multi-state sales/use tax nexus exposure on SaaS revenue with no evidence of collection or reserve |
▶ Renewal & Auto-Renewal 2
Market Norm: Auto-renewal with 30-90 day opt-out is standard in SaaS. 3-5% annual escalation caps are common.
Risk Implications: Auto-renewal provides revenue predictability. Manual renewal with short notice creates churn risk.
| Entity | Severity | Finding |
|---|---|---|
| Northwind Logistics | ○ P3 | Cobalt renewal uplift capped at 5%; Cobalt mid-term price held firm — standard pricing terms |
| Northwind Logistics | ○ P3 | Cobalt order form auto-renews 12-month terms with capped 5% uplift; 90-day non-renewal notice |
▶ Non-Compete 2
Market Norm: Should be reasonable in scope. 1-2 year duration is standard. Overly broad may be unenforceable.
Risk Implications: May restrict acquirer's ability to compete in certain markets or hire key personnel post-close.
| Entity | Severity | Finding |
|---|---|---|
| Northwind Logistics | ◆ P2 | Key-person dependency: single contractor built core Route Optimization Engine with no post-delivery retention or non-com |
| Northwind Logistics | ○ P3 | Founder concentration: CEO and co-founder hold 49.54% fully-diluted with no retention terms evidenced in data room |
▶ IP Ownership 1
Market Norm: Clear assignment of all work product to hiring party is standard. Joint ownership is risky.
Risk Implications: Unclear IP ownership can undermine the core asset. Work-for-hire and joint ownership create complexity.
| Entity | Severity | Finding |
|---|---|---|
| Northwind Logistics | ● P1 | Core Route Optimization Engine built by contractor with NO IP assignment — only a non-exclusive license to Northwind |
▶ Termination for Convenience 1
Market Norm: Common in enterprise SaaS. 30-90 day notice period is standard. TfC with <30 day notice is non-standard.
Risk Implications: Allows counterparty to exit without cause. Affects revenue quality and committed ARR calculations.
| Entity | Severity | Finding |
|---|---|---|
| Northwind Logistics | ◆ P2 | Harbor Foods (16.5% of ARR) holds 30-day termination-for-convenience right with pro-rata refund |
▶ Liability Cap 1
Market Norm: Cap at 12-24 months of fees paid is standard. Mutual caps are preferred.
Risk Implications: Caps limit financial exposure. Asymmetric caps or missing carve-outs for IP breaches increase risk.
| Entity | Severity | Finding |
|---|---|---|
| Northwind Logistics | ○ P3 | Standard mutual liability caps (12-month fees) across enterprise MSAs |
▶ Warranty 1
Market Norm: Limited warranty for conformance to specs. 12-month period is standard. Disclaimer of implied warranties is common.
Risk Implications: Broad warranties increase exposure. Extended periods or uncapped remedies create ongoing liability.
| Entity | Severity | Finding |
|---|---|---|
| Northwind Logistics | ● P1 | Cobalt $28.8M prepaid recognized front-loaded in Year 1 rather than ratably — overstates revenue/ARR quality; possible r |
▶ Confidentiality & NDA 1
Market Norm: Mutual NDA with 2-5 year term is standard. Carve-outs for independently developed information are expected.
Risk Implications: Missing or expired NDAs create information security risk. Broad carve-outs may expose sensitive data.
| Entity | Severity | Finding |
|---|---|---|
| Northwind Logistics | ○ P3 | Customer MSAs commit only to 'commercially reasonable' safeguards with no named standard |
▶ Governing Law & Jurisdiction 1
Market Norm: Governing law typically matches vendor's primary jurisdiction. Arbitration is common internationally.
Risk Implications: Unfavorable jurisdiction increases litigation cost. Multiple governing laws create complexity.
| Entity | Severity | Finding |
|---|---|---|
| Northwind Logistics | ○ P3 | Cobalt $28.8M up-front prepayment creates significant book-tax timing difference / advance-payment income question |
Key Employee & Organizational Risk
4
Key Employee Findings
3
Retention Risks
3
Non-Compete Gaps
| Entity | Severity | Finding | Category |
|---|---|---|---|
| Northwind Logistics | ○ P3 | Employee IP assignment standard form is robust (present assignment + work-for-hire) but applies only to employees | employment agreements |
| Northwind Logistics | ◆ P2 | Key-person dependency: single contractor built core Route Optimization Engine with no post-delivery retention or non-com | key talent retention |
| Northwind Logistics | ◆ P2 | Standard employee agreement contains no non-compete or non-solicit; at-will employment creates post-close flight risk | key talent retention |
| Northwind Logistics | ○ P3 | Founder concentration: CEO and co-founder hold 49.54% fully-diluted with no retention terms evidenced in data room | key talent retention |
Technology Stack Assessment
3
Tech Findings
3
Security Gaps
0
Technical Debt
0
Migration Risks
| Entity | Severity | Finding | Sub-Category |
|---|---|---|---|
| Northwind Logistics | ◆ P2 | Aggressive SLA commitments (99.9% uptime, 1-hour critical response) unverifiable — no architecture, capacity, or uptime- | Security Posture |
| Northwind Logistics | ○ P3 | Documented contractual security controls (TOMs) exist only via single-customer DPA, not enterprise-wide certification | Security Posture |
| Northwind Logistics | ○ P3 | Customer MSAs commit only to 'commercially reasonable' safeguards with no named standard | Security Posture |
Product Adoption Matrix
100% Single-Product Customers
High single-product dependency increases churn risk — customers using only one product are easier to replace.
1
Products Identified
0
Multi-Product Customers
100%
Single-Product Risk
| Entity | sole-proprietor contractor performs core platform development under company direction | Product Count |
|---|---|---|
| Northwind Logistics | ✓ | 1 |
Data Reconciliation
18
Data Points
13
Matches
5
Mismatches
72%
Match Rate
| Entity | Field | Contract Value | Reference Value | Match |
|---|---|---|---|---|
| Northwind Logistics | Meridian Freight ARR / annual fee | $12,400,000 annual fee | $12,400,000 (30.1% of ARR) | Yes |
| Northwind Logistics | Cobalt Retail annual fee / TCV | $9,600,000/yr; $28,800,000 TCV (36-mo prepaid) | $9,600,000 ARR (23.3%); $28.8M TCV collected 2025-01-15 | Yes |
| Northwind Logistics | Tidewater annual fee and % of ARR | USD $3,100,000 (~7.5% of total ARR) | $3,100,000 (7.5% of ARR) | Yes |
| Northwind Logistics | Top-3 customer concentration | Meridian + Cobalt + Harbor contract fees = $12.4M + $9.6M + $6.8M = $28.8M | 69.9% of total ARR | Yes |
| Northwind Logistics | Meridian Freight ARR | $12,400,000 annual fee | $12,400,000 (30.1% of ARR) | Yes |
| Northwind Logistics | Cobalt Retail ARR | $9,600,000/yr (TCV $28,800,000 over 36 months) | $9,600,000 (23.3% of ARR); TCV $28,800,000 | Yes |
| Northwind Logistics | Harbor Foods ARR | $6,800,000 annual fee | $6,800,000 (16.5% of ARR) | Yes |
| Northwind Logistics | Granite Manufacturing ARR | $4,500,000 annual fee ($1,125,000/qtr in arrears) | $4,500,000 (10.9% of ARR) | Yes |
| Northwind Logistics | Tidewater Distribution ARR | USD $3,100,000 annual subscription fee (EUR-billed) | $3,100,000 (7.5% of ARR, EUR-billed) | Yes |
| Northwind Logistics | Cobalt revenue recognition timing (recognized vs deferred) | $28,800,000 prepaid; service period 2025-01-01 to 2027-12-31 (ratable ≈ $800,000/month) | Recognized front-loaded in Year 1; ~$16,800,000 should remain deferred at 2026-03-31 on a straight-line basis | No |
| Northwind Logistics | Meridian Freight annual contract value vs ARR schedule | $12,400,000 | $12,400,000 (30.1%) | Yes |
| Northwind Logistics | Cobalt prepaid revenue recognition method (front-loaded vs ratable) | $28,800,000 TCV, single up-front prepayment, 36-month service period Jan 2025-Dec 2027 | Recognized with a front-loaded Year-1 tranche rather than ratably (~$9.6M/yr straight-line); ~$16.8M deferred at 2026-03-31 on straight-line basis | No |
| Northwind Logistics | Route Optimization Engine IP ownership (contractor-built core module) | Non-exclusive license only; no IP assignment to Company | Route-optimization is described as 'a core differentiating feature' powering 'largest enterprise customer accounts' | No |
| Northwind Logistics | Tidewater EU data sub-processor transfer compliance (churn/regulatory risk on 7.5% ARR) | Tidewater DPA §5.3/§6 require all non-EEA sub-processors to be Annex-2 listed with SCCs | TelemetryWorks Inc. (Portland, OR, USA) processes Tidewater driver telemetry but is NOT in Annex 2; no SCCs, no DPA, no transfer mechanism — OPEN/unresolved | No |
| Northwind Logistics | Tidewater Distribution N.V. annual subscription fee / % of ARR | USD $3,100,000 (~7.5% of total ARR) | $3,100,000 — 7.5% of ARR | Yes |
| Northwind Logistics | Approved sub-processors for Tidewater EU personal data | DPA Annex 2 names: Aurora Cloud Hosting GmbH (Frankfurt), Helvetia Mail Relay AG (Zürich), Brussels Support Partners BV (Antwerpen), Northwind EEA branch (Frankfurt) | Sub-Processor Register names entirely different entities: CloudHarbor EU GmbH, MessageRoute SAS, TelemetryWorks Inc. (US, NOT LISTED), LedgerPay Ltd., HelpDeskNow Inc., ArchiveVault EU | No |
| Northwind Logistics | Tidewater EU annual subscription fee (EUR-billed) as share of ARR | $3,100,000 (~7.5% of total ARR) | $3,100,000 (7.5%), EUR-billed | Yes |
| Northwind Logistics | Tidewater annual subscription fee / % of total ARR | USD $3,100,000 (~7.5% of Provider's total ARR) | $3,100,000 — 7.5% of total ARR (Tidewater Distribution N.V.) | Yes |
Entity Health Tiers
1 entities require immediate attention
Tier 1 (Critical): 1 entities have P0 findings. Tier 2 (High): 0 entities have P1 findings. Tier 3 (Standard): 0 of 1 entities have only lower-severity findings.
1
Tier 1 — Critical
0
Tier 2 — High
0
Tier 3 — Standard
1
Total Entities
Tier 1 — Immediate Attention
- T1 Northwind Logistics
Recommendations
Immediate
Resolve 2 P0 Critical Findings Before Closing
2 critical findings require immediate resolution. These represent potential deal-breakers that must be addressed or mitigated with appropriate deal structure protections.
Pre-Close
Obtain Assignment Consent from 1 Entities
13 change-of-control findings across 1 entities. 9 require consent — initiate outreach to key customers. Consider escrow holdback for consent-dependent revenue. 1 are notification-only (routine administrative step).
Pre-Close
Negotiate Customer Concentration Protection
HHI concentration index of 10000 indicates high customer concentration. Consider earn-out tied to customer retention (10-30% of consideration) or escrow holdback for 12-24 months.
Pre-Close
Remediate 10 Data Privacy & Security Gaps
10 data privacy findings identified. Assess GDPR/CCPA compliance status and DPA coverage. Typical remediation cost: $200K-$2M depending on gap severity.
Pre-Close
Close 54 Documentation Gaps
54 documentation gaps identified. Request missing documents from the target company. Prioritize gaps affecting P0/P1 findings.
Valuation
Model TfC Revenue Exposure for 1 Entities
Revenue from TfC contracts is non-committed. Model as at-risk ARR in valuation analysis.
Positive
1 Entities Have No Critical/High Findings
1 of 2 entities analyzed have no P0 or P1 findings, indicating a healthy base of low-risk contracts.
Post-Close Integration Playbook
100
Churn Risk Score
Critical
Churn Risk Level
High
Integration Complexity
Churn Risk Score: 100/100 (Critical)
Estimated $28.8M ARR at elevated churn risk. Recommend retention-focused integration plan with customer outreach within first 30 days post-close.
Integration Risk Factors
| Risk Factor | Impact | ARR at Risk |
|---|---|---|
| Change of Control exposure | high | $28.8M |
| Termination for Convenience clauses | high | $28.8M |
Integration Milestones
Pre-Close
- Identify 13 contracts requiring consent/notice for CoC
- Assess 1 contracts with TfC risk for retention strategy
Day 1
- Communicate acquisition to key accounts
- Send consent/notice letters for CoC-triggered contracts
Day 30-90
- Complete customer outreach for top revenue accounts
- Implement retention plans for at-risk contracts
Day 90-180
- Monitor churn signals and contract renewals
- Execute pricing/contract harmonization where needed
Governance Graph
Document governance relationships showing how contracts reference, amend, or supersede each other.
1
Entities with Graphs
11
Document Relationships
governs (solid arrow)amends (dashed arrow)supersedes (thick arrow)references (dotted arrow)
Northwind_Logistics
graph LR
msa_meridian_freight_pdf_md["msa_meridian_freight.pdf.md"]
Northwind_Logistics_Software__Inc_["Northwind Logistics Software, Inc."]
msa_meridian_freight_pdf_md -->|provider| Northwind_Logistics_Software__Inc_
msa_harbor_foods_pdf_md["msa_harbor_foods.pdf.md"]
msa_harbor_foods_pdf_md -->|provider| Northwind_Logistics_Software__Inc_
msa_granite_manufacturing_pdf_md["msa_granite_manufacturing.pdf.md"]
msa_granite_manufacturing_pdf_md -->|provider| Northwind_Logistics_Software__Inc_
order_form_cobalt_retail_pdf_md["order_form_cobalt_retail.pdf.md"]
MSA_dated_December_18__2024__NOT_in_data["MSA dated December 18, 2024 (NOT in data room)"]
order_form_cobalt_retail_pdf_md -->|governed_by| MSA_dated_December_18__2024__NOT_in_data
dpa_tidewater_pdf_md["dpa_tidewater.pdf.md"]
Tidewater_MSA_dated_1_March_2025__NOT_in["Tidewater MSA dated 1 March 2025 (NOT in data room)"]
dpa_tidewater_pdf_md -->|incorporated_into| Tidewater_MSA_dated_1_March_2025__NOT_in
contractor_agreement_route_engine_pdf_md["contractor_agreement_route_engine.pdf.md"]
contractor_agreement_route_engine_pdf_md -->|company| Northwind_Logistics_Software__Inc_
employment_ip_agreement_pdf_md["employment_ip_agreement.pdf.md"]
employment_ip_agreement_pdf_md -->|company| Northwind_Logistics_Software__Inc_
subprocessor_register_pdf_md["subprocessor_register.pdf.md"]
Northwind_Logistics_Software__Inc___DPO_["Northwind Logistics Software, Inc. (DPO)"]
subprocessor_register_pdf_md -->|maintained_by| Northwind_Logistics_Software__Inc___DPO_
TelemetryWorks_Inc_["TelemetryWorks Inc."]
Northwind_Logistics_Software__Inc_ -->|sub-processor (eu driver telemetry, us-hosted, unauthorized)| TelemetryWorks_Inc_
CloudHarbor_EU_GmbH["CloudHarbor EU GmbH"]
Northwind_Logistics_Software__Inc_ -->|sub-processor (primary eea hosting)| CloudHarbor_EU_GmbH
Tidewater_Distribution_N_V_["Tidewater Distribution N.V."]
Northwind_Logistics_Software__Inc_ -->|processor-controller (gdpr art.28 dpa)| Tidewater_Distribution_N_V_
Missing or Incomplete Data (54 items)
Documentation Gaps (54)
▶By Priority
● P1 8
◆ P2 23
○ P3 23
By Type
Contradiction: 2
Missing_Data: 17
Missing_Doc: 35
| Entity | Priority | Type | Missing Item | Risk | Why Needed | Request to Company | Agent |
|---|---|---|---|---|---|---|---|
| Northwind Logistics | P1 | Missing_Doc | Cobalt Retail Group Master Services Agreement (the MSA referenced by Order Form NW-OF-2025-0007, dated December 18, 2024) | Unknown CoC/termination exposure on the single largest cash-collected contract; cannot confirm whether the Summit acquisition triggers any Cobalt consent or termination right, or whether the $28.8M prepayment is refundable on a CoC/termination. | Cobalt is the #2 customer at $9,600,000 ARR (23.3% of total ARR) with a $28.8M prepaid TCV. Only the Order Form is in the data room; it incorporates the underlying MSA by reference but that MSA is absent. Change-of-control, assignment, termination, liability, and IP terms governing 23.3% of revenue cannot be assessed. | Provide the executed Cobalt Retail Group MSA dated December 18, 2024 (and any amendments) referenced in Order Form NW-OF-2025-0007 §9 / MSA Reference line. | legal |
| Northwind Logistics | P2 | Missing_Doc | Tidewater Distribution N.V. Master Services Agreement (the agreement into which the Tidewater DPA is incorporated) | Cannot evaluate Tidewater's termination/CoC rights or its contractual claims arising from the unauthorized US telemetry transfer. | Tidewater is the only EU customer ($3,100,000 ARR, 7.5%) and the subject of an active GDPR transfer violation. The DPA is present but the underlying MSA (with CoC, assignment, termination, liability terms) is not, so the customer's contractual remedies for the GDPR breach and any CoC rights cannot be assessed. | Provide the executed Tidewater Distribution N.V. MSA for cloud freight-management software referenced as dated 1 March 2025 in the DPA. | legal |
| Northwind Logistics | P1 | Missing_Doc | Present IP assignment / work-made-for-hire confirmation from contractor Signatory C for the Route Optimization Engine | Contractor retains ownership of core algorithms/source code and could exploit or license them to competitors; the non-exclusive license is not stated to be irrevocable/perpetual, creating freedom-to-operate and IP-portfolio-strength risk. | The Route Optimization Engine is a core platform component but the contractor agreement grants Northwind only a non-exclusive license with no ownership assignment. An executed assignment is required for Northwind (and the acquirer) to own the IP of a core differentiating feature. | Provide any executed IP assignment, deliverable acceptance with assignment language, or side letter transferring ownership of the Route Optimization Engine work product from Signatory C to Northwind; if none exists, obtain a present assignment pre-close. | legal |
| Northwind Logistics | P2 | Missing_Data | Executed (signed and dated) copies of the Employee Proprietary Information and Inventions Assignment Agreement for key personnel | Cannot confirm that all employees who created platform IP actually executed the assignment; potential gaps in IP chain-of-title for employee-created code. | The employee IP agreement in the data room is a blank standard form with unsigned, undated signature and Exhibit A (Prior Inventions) blocks. To confirm IP chain-of-title for the core platform, executed agreements for founders/engineers (e.g., the CEO and lead architects) are needed. | Provide executed copies of the Employee Proprietary Information and Inventions Assignment Agreement for all founders and engineering personnel, with completed Exhibit A (Prior Inventions). | legal |
| Northwind Logistics | P1 | Missing_Doc | Executed SCCs and Article 28 DPA between Northwind and TelemetryWorks Inc.; updated Tidewater DPA Annex 2 | Ongoing GDPR Chapter V / Article 28 violation; supervisory-authority fines and Tidewater contractual claims; acquirer inherits the exposure at closing. | Required to lawfully transfer EU driver telemetry to the US sub-processor and to satisfy the Tidewater DPA sub-processing/notice obligations. The sub-processor register confirms none exist and all remediation items are 'Not started.' | Provide (or commit to executing pre-close) EU 2021 controller-to-processor SCCs and an Article 28 DPA with TelemetryWorks, a transfer-impact assessment, and the Tidewater Annex 2 update/notification; or confirm telemetry re-routing to EEA-hosted analytics. | legal |
| Northwind Logistics | P2 | Missing_Doc | Certificate of Incorporation (as amended) and Series A/B Preferred Stock Purchase Agreements | Cannot confirm the precise stockholder consent thresholds and protective provisions that condition the acquisition closing. | Referenced as Exhibits C and D to the cap table summary; needed to confirm the exact CoC definition, Series B protective provisions (CoC consent), liquidation preference waterfall, and any drag-along/consent mechanics affecting closing. | Provide the current Certificate of Incorporation (as amended) and the Series A and Series B Preferred Stock Purchase Agreements (cap table Exhibits C and D). | legal |
| Northwind Logistics | P2 | Contradiction | Reconciliation of conflicting Tidewater DPA execution dates | Ambiguity over which DPA version governs and the breach timeline for the TelemetryWorks transfer. | The Tidewater DPA states it is incorporated into an MSA 'dated 1 March 2025' and is signed 1 March 2025, while the sub-processor register states the 'Tidewater DPA executed 2024-09-12.' The correct effective date matters for determining when GDPR obligations (and the unauthorized-transfer breach window) began. | Confirm the correct Tidewater DPA execution date and provide all DPA versions (2024-09-12 and/or 1 March 2025) and Annex 2 revisions. | legal |
| Northwind Logistics | P3 | Missing_Doc | Exclusivity clause search — none found in any customer contract | Low — absence of exclusivity is generally favorable; recorded for completeness. All access grants are expressly 'non-exclusive.' | Standard DD check for exclusivity/sole-provider commitments that could restrict the combined entity. Reviewed all four MSAs and the Cobalt order form. | Confirm no side letters grant any customer exclusivity, MFN, or most-favored pricing rights. | legal |
| Northwind Logistics | P1 | Missing_Doc | Audited financial statements (trailing twelve months) for Northwind Logistics Software, Inc. | Reported revenue and ARR quality cannot be independently verified; risk of overstatement and post-close restatement. | All ARR/revenue figures in the data room are management-prepared and unaudited; the ARR schedule is certified only by the CEO (Signatory A). A TTM audit is needed to validate revenue, particularly given the flagged Cobalt front-loaded recognition and the unreserved Harbor refund liability. | Provide audited (or independently reviewed) financial statements for the trailing twelve months ended 2026-03-31, including the deferred-revenue waterfall. | finance |
| Northwind Logistics | P1 | Missing_Data | GL deferred-revenue waterfall / balance-sheet confirmation of Cobalt unconsumed ~$16.8M deferred balance | Cannot quantify the revenue-quality adjustment or the size of any restatement of the front-loaded Cobalt recognition. | FP&A note recommends confirming the deferred-revenue balance attributable to the Cobalt prepaid arrangement (~$16.8M straight-line) against the GL; needed to quantify the recognized-vs-deferred restatement. | Provide the GL deferred-revenue waterfall as of 2026-03-31 and the ASC 606 performance-obligation memo for the Cobalt arrangement. | finance |
| Northwind Logistics | P2 | Missing_Doc | Insurance program documentation (E&O / professional liability / cyber insurance policies and limits) | Unquantified exposure on indemnity, data-breach, and professional-liability claims with no documented risk transfer. | No insurance, errors-and-omissions, professional-liability, or cyber-insurance requirement or certificate appears in any reviewed contract or financial document. Given SaaS data-processing exposure (GDPR, telemetry) and customer indemnities, the buyer needs the insurance program to assess risk transfer. | Provide current insurance certificates and policy schedules (E&O/professional liability, cyber, general liability) with limits and expiry dates. | finance |
| Northwind Logistics | P1 | Missing_Doc | Executed Cobalt Retail Group Master Services Agreement dated December 18, 2024 | Undisclosed change-of-control termination or pro-rata refund exposure on a fully-prepaid $28.8M arrangement cannot be assessed; if the Cobalt MSA mirrors Meridian's CoC right, an additional 23.3% of ARR could be at risk on close. | The Cobalt order form (23.3% of ARR, $28.8M prepaid) is governed by and incorporates this MSA, but only the order form is in the data room. The MSA contains the CoC, termination, SLA, indemnity, liability, and refund terms for the second-largest customer. | Provide the fully-executed Cobalt Retail Group MSA dated December 18, 2024, including all exhibits, CoC and termination clauses, and any amendments or side letters. | commercial |
| Northwind Logistics | P2 | Missing_Doc | Executed Tidewater Distribution N.V. Master Services Agreement dated 1 March 2025 | Cannot assess whether the EU customer holds CoC/termination rights, and cannot evaluate churn risk compounded by the open GDPR sub-processor transfer violation affecting Tidewater data (see subprocessor_register.pdf). | The Tidewater DPA incorporates by reference an MSA dated 1 March 2025 for $3.1M / 7.5% of ARR (the only EU customer), but the MSA itself is not in the data room. CoC, termination, renewal, and SLA terms for the EU account are unverifiable. | Provide the executed Tidewater Distribution N.V. MSA dated 1 March 2025 and all exhibits/order forms. | commercial |
| Northwind Logistics | P3 | Missing_Doc | Customer contracts / click-through terms for the 47 long-tail SMB accounts (11.7% of ARR) | Cannot verify renewal mechanics, TfC rights, or CoC terms for the long-tail cohort, or confirm enforceability of click-through terms. | 47 SMB accounts totaling $4.8M / 11.7% of ARR are described as 'click-through terms' but no representative agreement or order form is in the data room. | Provide the standard SMB click-through/online terms of service and a sample executed SMB order form. | commercial |
| Northwind Logistics | P3 | Missing_Data | Customer Health Scores / churn-risk dashboard for the enterprise customer cohort | Termination/renewal risks cannot be weighted by likelihood of exercise; reliance on management's 'manageable concentration' assertion only. | Commercial diligence requires cross-referencing contract terms (esp. Meridian CoC and Harbor TfC) against customer health/satisfaction data to assess actual churn propensity. | Provide customer health scores, NPS/CSAT data, support-ticket trends, and any at-risk-account watchlist for the top-5 accounts. | commercial |
| Northwind Logistics | P3 | Missing_Data | Standard rate card / pricing schedule | Cannot evaluate pricing-model risk (per-seat vs enterprise flat) or whether renewal uplift caps (e.g., Cobalt 5%) keep pace with cost; effective pricing per cohort unverifiable. | To benchmark effective per-account pricing and assess discounting consistency across the enterprise cohort and renewal uplift assumptions. | Provide the current standard rate card / price book and discount-approval policy. | commercial |
| Northwind Logistics | P3 | Missing_Data | Most Favored Nation (MFN) / price-parity clause | Low — searched all four MSAs and the Cobalt order form; no MFN, price-parity, or most-favored-customer language found. Recorded as Not_Found per extraction guidance. | MFN/best-price clauses would constrain future pricing and create cross-customer repricing exposure. | Confirm no customer agreement contains MFN, price-parity, or most-favored-customer provisions. | commercial |
| Northwind Logistics | P3 | Missing_Data | Exclusivity / sole-provider clause | Low — all access grants are expressly 'non-exclusive'; no exclusivity, sole-provider, or preferred-vendor language found in any agreement. Recorded as Not_Found. | Exclusivity or preferred-vendor status would affect competitive positioning and customer lock-in valuation. | Confirm no customer agreement grants exclusivity or sole/preferred-vendor status. | commercial |
| Northwind Logistics | P2 | Missing_Doc | SOC 2 (Type I/II) report or equivalent independent security audit for the Northwind TMS platform | Security posture cannot be independently verified; undisclosed control gaps could surface post-close as customer audit failures, breach liability, or remediation cost. | Customer MSAs commit to 'commercially reasonable' and 'industry standard' security safeguards and the Tidewater DPA Annex 1 represents a full TOM set (AES-256 at rest, TLS 1.2+, MFA, IDS, annual pentest). Independent attestation is needed to validate these claims for a SaaS platform processing enterprise and EU personal data. | Provide the most recent SOC 2 Type II report (or ISO 27001 certificate) covering the TMS platform, including scope, period, and any noted exceptions. | producttech |
| Northwind Logistics | P2 | Missing_Doc | Independent penetration test report referenced by the Tidewater DPA Annex 1 | Unable to confirm pentest cadence is met or whether material findings remain open; potential unremediated vulnerabilities affecting customer/EU data. | DPA Annex 1 item 6 commits to 'Annual penetration testing by an independent third party.' The actual report (findings, severities, remediation status) is needed to assess current security posture and open vulnerabilities. | Provide the two most recent independent penetration test reports with finding IDs, severities, and remediation status. | producttech |
| Northwind Logistics | P2 | Missing_Doc | Data Processing Addendum for Cobalt Retail Group (referenced as incorporated into the MSA but absent) | Cannot verify data-protection terms, sub-processor obligations, or breach-notification commitments for a 23.3%-of-ARR customer; potential undisclosed obligations. | Cobalt Order Form Section 5.4 states 'Provider's processing of Customer personal data is governed by the Data Processing Addendum incorporated into the MSA,' but no Cobalt DPA (or the underlying Cobalt MSA dated Dec 18 2024) is present. Cobalt is the second-largest account (23.3% ARR). | Provide the executed Cobalt Retail Group MSA (dated December 18, 2024) and the incorporated Data Processing Addendum. | producttech |
| Northwind Logistics | P2 | Missing_Doc | Platform architecture / integration specification and technology-stack documentation | Integration cost and migration complexity cannot be estimated; hidden technical debt or scalability constraints may surface post-close. | No technical architecture diagram, integration/API specification, technology-stack inventory, or capacity/scalability plan is present. These are needed to assess migration complexity into Summit, integration effort, vendor lock-in, and ability to meet 99.9% SLAs. | Provide platform architecture documentation, the carrier/EDI integration spec (Cobalt order references up to 75 connected carriers + EDI gateway), technology-stack inventory, and any capacity/scaling plans. | producttech |
| Northwind Logistics | P1 | Missing_Doc | Executed Article 28 DPA and EU SCCs between Northwind and TelemetryWorks Inc. | Ongoing unlawful Chapter V transfer of EU personal data; GDPR enforcement exposure (fines up to 4% of global turnover) and breach of the Tidewater DPA; potential customer termination/claim. | TelemetryWorks actively processes EU driver telemetry in the USA with no DPA and no transfer mechanism (see finding above). Executed SCCs and an Article 28 DPA are legally required to lawfully continue the data flow. | Provide executed EU 2021 controller-to-processor SCCs and an Article 28 DPA with TelemetryWorks, a transfer-impact assessment, and confirmation of Tidewater notification / Annex 2 update — or confirmation that telemetry has been re-routed to EEA-hosted analytics. | producttech |
| Northwind Logistics | P2 | Contradiction | Reconciliation of Tidewater DPA execution date (1 March 2025 on the signed DPA vs 2024-09-12 cited in the Sub-Processor Register) | Uncertainty over which DPA version and Annex 2 list is authoritative; weakens reliance on the GDPR documentation set. | The signed DPA is dated 1 March 2025; the Sub-Processor Register states the Tidewater DPA was executed 2024-09-12. The correct effective/execution date is needed to establish the compliance timeline and which sub-processor list governs. | Confirm the correct Tidewater DPA execution date and provide all DPA versions/amendments with their effective dates. | producttech |
| Northwind Logistics | P2 | Missing_Doc | SOC 2 Type II report | Cannot independently verify that the controls represented in the Tidewater DPA Annex 1 are actually implemented and operating; may impede enterprise customer retention/new-logo acquisition. | Standard evidence of operating effectiveness of security controls for a B2B SaaS provider; enterprise customers (Meridian, Cobalt) typically require it. | Provide the most recent SOC 2 Type II report (and bridge letter) including scope, period, and any noted exceptions. | cybersecurity |
| Northwind Logistics | P2 | Missing_Doc | ISO/IEC 27001 certificate | No evidence of a recognized security governance framework or its certification status; framework maturity unverifiable. | Confirms an established, audited information security management system (ISMS) and current certification validity. | Provide ISO 27001 certificate with scope statement and validity dates, or confirm no certification is held. | cybersecurity |
| Northwind Logistics | P2 | Missing_Doc | Independent penetration test report | Cannot assess outstanding high/critical vulnerabilities or remediation posture; contractual commitment to annual pentest is unverified. | The Tidewater DPA Annex 1 commits to 'Annual penetration testing by an independent third party'; the report itself evidences findings and remediation status. | Provide the most recent independent penetration test report with finding IDs, severities, and remediation status. | cybersecurity |
| Northwind Logistics | P2 | Missing_Doc | Incident response plan (IRP) document | Cannot confirm breach detection/response capability or whether the 72-hour notification obligation can be met. | The DPA commits to 'Documented incident-response and business-continuity procedures' and a 72-hour breach-notification obligation; the plan evidences readiness, last review date, and tabletop exercises. | Provide the documented incident response plan, last review/test date, and any tabletop exercise results. | cybersecurity |
| Northwind Logistics | P2 | Missing_Data | Data breach / security incident history disclosure | Undisclosed breaches affecting customer/driver PII could surface post-close as liability; no representation found either way. | Required to assess undisclosed breaches, regulatory notifications, and residual liability; a core DD item for a PII-processing SaaS. | Provide a written breach/incident history (last 5 years), including any regulatory notifications and remediation, or a no-incident representation. | cybersecurity |
| Northwind Logistics | P3 | Missing_Doc | Access control / MFA and identity governance policy | Cannot confirm MFA is enforced for all privileged accounts or that access reviews actually occur. | The DPA commits to MFA for admin/production access, RBAC, and quarterly access reviews; the underlying policy evidences enforcement scope and exceptions. | Provide the access control / identity management policy and evidence of the most recent quarterly access review. | cybersecurity |
| Northwind Logistics | P3 | Missing_Doc | Vulnerability management program / recent scan results | Unknown exposure to unpatched vulnerabilities in the production platform. | Evidences patch cadence, scan frequency, and outstanding vulnerabilities. | Provide the vulnerability management policy and the two most recent scan summaries. | cybersecurity |
| Northwind Logistics | P2 | Missing_Doc | Executive employment agreements and post-close retention/non-compete agreements for CEO (Signatory A) and Co-Founder (Holder Y) and other key personnel | Founder/key-talent departure at or shortly after closing with no restrictive covenants could impair operations, customer relationships, and product continuity; retention packages may need to be negotiated pre-close. | Founders hold 49.54% FD and the CEO is the central key person across the company; the acquirer needs to know whether founders/key staff are contractually retained post-close, subject to non-competes, and on what compensation terms. | Provide all executive employment agreements, offer letters, retention/stay-bonus agreements, earn-out terms, and any non-compete/non-solicit covenants for the CEO, co-founder, and named key personnel. | hr |
| Northwind Logistics | P2 | Missing_Doc | Option grant schedule with vesting and change-of-control acceleration terms (Exhibit B), and employee equity/CoC acceleration policy | Cannot quantify unvested retention overhang or golden-parachute/CoC acceleration cost; cannot assess whether key engineers have a stay incentive post-close. | Unvested equity and single/double-trigger CoC acceleration determine the cost and effectiveness of employee retention in the acquisition and the dilution/parachute exposure to the buyer. | Provide the full option grant schedule (grant date, strike, vesting, cliff), the equity incentive plan document, and any change-of-control acceleration provisions applicable to employee equity. | hr |
| Northwind Logistics | P3 | Missing_Data | Organizational chart, headcount roster, and workforce composition (by function, location, FT/PT/contractor) | Cannot assess bench strength, single-points-of-failure beyond the contractor/founders, or WARN-Act exposure from any planned reductions. | Baseline workforce composition is needed to assess organizational structure, succession bench strength, key-person concentration, and integration planning. | Provide a current org chart, full headcount roster by department and location, and a breakdown of employees vs. independent contractors. | hr |
| Northwind Logistics | P3 | Missing_Doc | Benefits documentation (health/welfare plans, 401(k)/retirement, deferred compensation) and any pension/post-retirement obligations | Unquantified benefits liabilities or deferred-compensation obligations could surface post-close; benefits harmonization costs unknown. | Required to quantify benefits liabilities (funded status, deferred comp, accrued PTO) and assess assumption/transition costs in the acquisition. | Provide summary plan descriptions for all employee benefit plans, 401(k)/retirement plan documents and funded status, deferred-compensation arrangements, and accrued PTO/leave liability. | hr |
| Northwind Logistics | P3 | Missing_Data | Labor compliance certifications, outstanding wage/hour or employment claims, and union/collective-bargaining status | Undisclosed employment litigation or labor exposure could create post-close liability not reflected in the purchase price. | Needed to confirm no pending employment litigation, labor-board proceedings, or CBA exposure, and to assess multi-jurisdiction (incl. any EU/international staff) labor compliance. | Provide a schedule of any pending or threatened employment claims, wage/hour audits, labor-board matters, and confirmation of union/CBA status and worker-classification methodology. | hr |
| Northwind Logistics | P2 | Missing_Doc | Federal and state income tax returns (and any foreign returns) for all open years | Undetected open-year liabilities, uncertain tax positions, or non-filing in states/countries where nexus exists transfer to the buyer in a stock deal. | Required to assess income-tax compliance, open-year exposure, effective tax rate, and the accuracy of the tax provision for a Delaware C-corp acquired on a stock basis. | Provide all filed federal, state, and foreign income tax returns for the last 3-4 open years, plus any extensions, amended returns, and audit correspondence. | tax |
| Northwind Logistics | P2 | Missing_Data | NOL / tax-attribute schedule and Section 382 ownership-change analysis | If material NOLs exist, the Section 382 annual limitation could sharply reduce or eliminate their value to the buyer; the benefit cannot be quantified or priced without the attribute schedule and a 382 study. | Northwind is a venture-funded startup (incorporated 2018, Series A/B) that likely has NOL carryforwards. Summit's acquisition of >50% of the equity is a Section 382 ownership change that would limit post-change NOL utilization. | Provide NOL and tax-credit carryforward schedules by jurisdiction with expiration, prior ownership-change (382) studies, and any built-in gain/loss analysis. | tax |
| Northwind Logistics | P2 | Missing_Doc | Transfer-pricing documentation for intra-group U.S.-Germany (EEA branch) operations | Absent transfer-pricing documentation, German and U.S. authorities could reassess intercompany charges, with penalties; PE attribution of profits to Germany may be undocumented. | The Tidewater DPA discloses intra-group EEA branch operations in Frankfurt; intercompany services between the U.S. parent and the German branch/affiliate require arm's-length pricing support (local file/master file) and may trigger CbCR considerations. | Provide transfer-pricing documentation (master/local file), intercompany services agreements, and any APAs covering the U.S.-Germany operations. | tax |
| Northwind Logistics | P2 | Missing_Doc | Sales/use tax nexus study, state registrations, and collection/remittance records | Uncollected SaaS sales tax (plus penalties/interest) across multiple states becomes a buyer liability in a stock acquisition; magnitude is unquantifiable without the study. | Needed to determine in which states SaaS is taxable and where Northwind has physical or economic nexus, and to verify whether sales/use tax has been collected and remitted. | Provide any sales/use tax nexus study, state sales-tax registrations, returns filed, exemption certificates collected, and any voluntary disclosure agreements. | tax |
| Northwind Logistics | P2 | Missing_Data | EU/German VAT registration status and VAT returns | Unregistered/uncollected VAT and incorrect place-of-supply treatment create EU VAT assessments plus penalties and interest. | EUR-billed EU revenue (Tidewater, $3.1M) combined with apparent German fixed establishment raises VAT registration, charging, and reporting obligations that must be confirmed. | Confirm EU/German VAT registration status, provide VAT returns, and explain VAT treatment of EU SaaS sales (reverse charge vs. local charge) given any German establishment. | tax |
| Northwind Logistics | P3 | Missing_Data | Tax provision / ASC 740 reserve detail (including uncertain tax positions) | Unreserved tax exposures could surface post-close as unrecorded liabilities; the buyer cannot assess provision adequacy. | Needed to evaluate whether reserves adequately cover the sales-tax nexus, PE/VAT, and worker-classification exposures identified, and to validate the deferred-tax effect of the Cobalt prepayment timing difference. | Provide the tax provision workpapers, ASC 740 UTP analysis, and deferred-tax schedules for the most recent periods. | tax |
| Northwind Logistics | P1 | Missing_Doc | Executed SCCs and Article 28 DPA between Northwind and TelemetryWorks Inc. (US sub-processor) | Continued unlawful international transfer of EU personal data; supervisory-authority enforcement and Art. 83 fines (up to 4% global turnover); Tidewater contractual breach and potential termination of a 7.5%-of-ARR EU account. | Required to establish a lawful GDPR Chapter V transfer basis for EU driver telemetry sent to the US and to satisfy the Tidewater DPA §5.2/§5.3 sub-processor flow-down obligations. The register confirms none exist. | Provide executed SCCs (Module Two, controller-to-processor), an executed Article 28 DPA with TelemetryWorks, and a transfer-impact assessment; or evidence that telemetry has been re-routed to EEA-hosted analytics. | regulatory |
| Northwind Logistics | P3 | Missing_Doc | Material licenses, permits, and regulatory authorizations inventory + transferability/CoC consent analysis | Cannot confirm absence of license-transfer obstacles. Risk is low given SaaS business model typically requires no industry operating licenses, but absence should be confirmed. | Standard regulatory DD requires inventory of any operating licenses/permits and assessment of whether they transfer or require consent on change of control. Northwind is a B2B SaaS TMS provider; no license documents are present in the data room. | Confirm whether the company holds any material operating licenses, permits, or regulatory registrations (e.g., FMCSA/broker authority, telecom, or data-broker registrations) and whether any require consent or re-application on the Summit acquisition. | regulatory |
| Northwind Logistics | P3 | Missing_Data | Regulatory enforcement / investigation status representation (GDPR supervisory authority, any sector regulator) | Undisclosed regulatory enforcement (e.g., a Belgian DPA complaint arising from the TelemetryWorks transfer) could create post-close liability. | To confirm there are no active or pending regulatory investigations, enforcement actions, or consent decrees. The board deck (DD-output) flags no such items, but no affirmative no-enforcement representation is in the data room. | Provide a representation as to any pending/threatened regulatory investigations, complaints, or enforcement actions, including any DPA inquiries relating to the disclosed TelemetryWorks transfer gap. | regulatory |
| Northwind Logistics | P3 | Missing_Data | Carbon emissions profile (Scope 1, 2, and 3) and cloud-hosting energy/emissions data | Combined-entity climate disclosure (SEC climate rule / CSRD if EU footprint scales) cannot be prepared without a baseline; energy-cost and carbon-pricing exposure of hosting cannot be quantified. | No greenhouse-gas inventory or carbon data exists anywhere in the data room. As a cloud SaaS company, Northwind's principal climate exposure is Scope 2 (purchased electricity for hosting) and Scope 3 (cloud infrastructure vendors such as CloudHarbor EU GmbH, ArchiveVault EU, Aurora Cloud Hosting GmbH). The acquirer (Summit Industrial Group) operates physical fleets, so consolidated climate-disclosure readiness will require Northwind's emissions baseline. | Provide any GHG inventory, cloud provider energy/carbon reports, or renewable-energy commitments for Northwind's hosting footprint (Frankfurt EEA region and others). | esg |
| Northwind Logistics | P3 | Missing_Doc | ESG governance structure, board ESG oversight, and materiality / double-materiality assessment | No structured identification of material ESG risks; the combined entity may need to stand up ESG governance and reporting from scratch post-close. | The Q1 2026 board deck enumerates key risks (concentration, competition, hiring, macro freight softness) but lists no ESG, climate, environmental, or sustainability risk and shows no board-level ESG oversight or materiality assessment. Acquirers increasingly expect a baseline ESG governance structure for integration and disclosure alignment (TCFD/SASB/GRI/CSRD). | Provide any ESG/sustainability policy, board committee charter covering ESG/climate, and any materiality assessment. | esg |
| Northwind Logistics | P3 | Missing_Doc | Environmental site assessments (Phase I/II ESA) for any owned or leased real property | Low residual risk that a leased/owned facility carries environmental liability not surfaced in the data room. | Standard environmental DD checklist item. As a cloud software company headquartered in Columbus, Ohio with no disclosed manufacturing, land holdings, or hazardous-materials operations, contamination/CERCLA exposure is inherently low, but no real-property schedule or ESA was provided to confirm the absence of owned/leased sites with environmental liability. | Confirm Northwind holds no owned real property and provide a list of leased premises; confirm no past operations involved hazardous materials or contaminated sites. | esg |
| Northwind Logistics | P3 | Missing_Data | ESG disclosure / CSRD applicability assessment for EU activities | If EU presence grows under Summit, CSRD/ESRS reporting obligations could attach without preparation; misjudging scope could create non-compliance exposure. | Northwind serves an EU customer (Tidewater Distribution N.V., Belgium) and operates an intra-group EEA branch in Frankfurt (per Tidewater DPA Annex 2). Whether the entity or the post-close group triggers CSRD or other EU non-financial disclosure obligations is not assessed in the data room. | Provide an assessment of EU establishment size (headcount, turnover) and any analysis of CSRD/ESRS or local non-financial reporting applicability for the Frankfurt branch and EU operations. | esg |
| Reference | P3 | Missing_Doc | Cybersecurity content in acquirer reference overview | None for cybersecurity scope — this is acquirer context only and is explicitly not routed for findings. Data-privacy/GDPR posture is flagged as a buyer diligence focus area, which is addressed via the target's documents. | The buyer_overview.pdf.md is an acquirer-context reference document; it contains no cybersecurity posture, breach history, certifications, or security obligations to analyze. | No request required; security diligence is conducted against the target (Northwind) documents. | cybersecurity |
| Reference | P3 | Missing_Data | Any workforce, compensation, benefits, or labor-compliance content for the target (none present in reference subject) | None at the reference-subject level; HR analysis is performed against the target's own documents. | The _reference subject contains only the acquirer-context overview, which is explicitly not routed for findings; HR workforce data for the target resides under the Northwind_Logistics subject. | No request specific to this subject; workforce documentation requests are recorded against the Northwind_Logistics subject. | hr |
| Reference | P3 | Missing_Doc | Deal-structure tax analysis (stock vs. asset / 338(h)(10) or 336(e) election) for the acquisition | Without a defined structure and election analysis, the buyer cannot assess inheritance of historical tax liabilities, NOL preservation/limitation, or the value of a potential asset step-up. | The buyer overview confirms a 100% acquisition of a Delaware C-corp but does not specify whether the transaction is structured as a stock or asset purchase, nor whether any step-up election (e.g., 338(h)(10), 336(e)) is contemplated. This drives whether historical tax liabilities and attributes (including Section 382-limited NOLs) carry over to the buyer and whether a basis step-up is available. | Provide the draft purchase agreement structure, any tax structuring memo or opinion, and confirmation of any contemplated step-up elections. | tax |
| Reference | P3 | Missing_Doc | Antitrust / merger-control (HSR) filing analysis for the Summit–Northwind acquisition | Unassessed antitrust filing obligation could delay closing or expose parties to gun-jumping/penalty risk; however, target size suggests likely below US HSR threshold. | The buyer overview confirms a 100% acquisition of Northwind (~$41.2M ARR) by Summit Industrial Group, expected to close Q3 2026. A determination of whether the transaction meets the Hart-Scott-Rodino size-of-transaction threshold (or any non-US merger-control thresholds) is needed to confirm closing timeline and filing obligations. | Provide deal-value/consideration figures and confirm whether HSR or any foreign merger-control filing is required, with counsel's assessment. | regulatory |
| Reference | P3 | Missing_Data | Acquirer (Summit Industrial Group) ESG / carbon profile and Northwind ESG baseline for post-close integration | Combined entity may face climate-disclosure obligations (e.g., SEC climate rule, CSRD if EU footprint scales) without a baseline emissions inventory; integration ESG synergies/risks cannot be quantified. | The acquirer overview describes Summit Industrial Group as an industrial/logistics platform with 'existing fleet operations,' which carry direct Scope 1 carbon exposure. No ESG baseline (carbon, governance, disclosure) is provided for either the acquirer or the target to support post-close ESG integration or consolidated climate-disclosure readiness. | Provide Summit Industrial Group's most recent GHG inventory (Scope 1/2/3) and any ESG/sustainability reporting, plus Northwind's cloud-hosting energy/emissions data, to establish a consolidated ESG baseline. | esg |
Entity Detail
Northwind Logistics (44 findings, 49 gaps) P0:2 P1:10 P2:17 P3:15▶
Cross-Reference Reconciliation
| Field | Source A | Source B | Match |
|---|---|---|---|
| Meridian Freight ARR / annual fee | $12,400,000 annual fee | $12,400,000 (30.1% of ARR) | Yes |
| Cobalt Retail annual fee / TCV | $9,600,000/yr; $28,800,000 TCV (36-mo prepaid) | $9,600,000 ARR (23.3%); $28.8M TCV collected 2025-01-15 | Yes |
| Tidewater annual fee and % of ARR | USD $3,100,000 (~7.5% of total ARR) | $3,100,000 (7.5% of ARR) | Yes |
| Top-3 customer concentration | Meridian + Cobalt + Harbor contract fees = $12.4M + $9.6M + $6.8M = $28.8M | 69.9% of total ARR | Yes |
| Meridian Freight ARR | $12,400,000 annual fee | $12,400,000 (30.1% of ARR) | Yes |
| Cobalt Retail ARR | $9,600,000/yr (TCV $28,800,000 over 36 months) | $9,600,000 (23.3% of ARR); TCV $28,800,000 | Yes |
| Harbor Foods ARR | $6,800,000 annual fee | $6,800,000 (16.5% of ARR) | Yes |
| Granite Manufacturing ARR | $4,500,000 annual fee ($1,125,000/qtr in arrears) | $4,500,000 (10.9% of ARR) | Yes |
| Tidewater Distribution ARR | USD $3,100,000 annual subscription fee (EUR-billed) | $3,100,000 (7.5% of ARR, EUR-billed) | Yes |
| Cobalt revenue recognition timing (recognized vs deferred) | $28,800,000 prepaid; service period 2025-01-01 to 2027-12-31 (ratable ≈ $800,000/month) | Recognized front-loaded in Year 1; ~$16,800,000 should remain deferred at 2026-03-31 on a straight-line basis | No |
| Meridian Freight annual contract value vs ARR schedule | $12,400,000 | $12,400,000 (30.1%) | Yes |
| Cobalt prepaid revenue recognition method (front-loaded vs ratable) | $28,800,000 TCV, single up-front prepayment, 36-month service period Jan 2025-Dec 2027 | Recognized with a front-loaded Year-1 tranche rather than ratably (~$9.6M/yr straight-line); ~$16.8M deferred at 2026-03-31 on straight-line basis | No |
| Route Optimization Engine IP ownership (contractor-built core module) | Non-exclusive license only; no IP assignment to Company | Route-optimization is described as 'a core differentiating feature' powering 'largest enterprise customer accounts' | No |
| Tidewater EU data sub-processor transfer compliance (churn/regulatory risk on 7.5% ARR) | Tidewater DPA §5.3/§6 require all non-EEA sub-processors to be Annex-2 listed with SCCs | TelemetryWorks Inc. (Portland, OR, USA) processes Tidewater driver telemetry but is NOT in Annex 2; no SCCs, no DPA, no transfer mechanism — OPEN/unresolved | No |
| Tidewater Distribution N.V. annual subscription fee / % of ARR | USD $3,100,000 (~7.5% of total ARR) | $3,100,000 — 7.5% of ARR | Yes |
| Approved sub-processors for Tidewater EU personal data | DPA Annex 2 names: Aurora Cloud Hosting GmbH (Frankfurt), Helvetia Mail Relay AG (Zürich), Brussels Support Partners BV (Antwerpen), Northwind EEA branch (Frankfurt) | Sub-Processor Register names entirely different entities: CloudHarbor EU GmbH, MessageRoute SAS, TelemetryWorks Inc. (US, NOT LISTED), LedgerPay Ltd., HelpDeskNow Inc., ArchiveVault EU | No |
| Tidewater EU annual subscription fee (EUR-billed) as share of ARR | $3,100,000 (~7.5% of total ARR) | $3,100,000 (7.5%), EUR-billed | Yes |
| Tidewater annual subscription fee / % of total ARR | USD $3,100,000 (~7.5% of Provider's total ARR) | $3,100,000 — 7.5% of total ARR (Tidewater Distribution N.V.) | Yes |
Findings
Legal
● P1 Meridian Freight (30.1% of ARR) holds immediate, no-cure CoC termination right triggered by this acquisition ▶
Source: Northwind Logistics | Agent: legal
CoC subtype: termination-right held by the Customer (Meridian), exercisable in sole and absolute discretion. The MSA §12.3 grants Meridian the right to terminate immediately upon a Change of Control of Provider, with NO cure period, NO transition/wind-down obligation, no breach required, and a pro-rata refund of prepaid fees. The 60-day period is the window to exercise the right (not a cure window). Meridian is Northwind's largest customer at $12,400,000 ARR (30.1% of total ARR per board deck / ARR schedule), under a 3-year term through 2027-12-31. The cap table summary §5.2-5.3 expressly states the Summit acquisition 'constitutes a Change of Control' and 'may trigger rights under' the Meridian MSA §12.3. This is the single most material legal risk in the data room and sits at the P0/P1 boundary; it is classified P1 (not P0) because termination requires Meridian's affirmative election rather than being automatic, but it requires pre-close deal protection (customer consent/waiver, escrow, or price adjustment). Note: Northwind board deck Slide 8 affirmatively represents 'No customer-termination, change-of-control, or contract-portability items are flagged in this excerpt' — which understates this exposure.
Confidence: high
Northwind_Logistics/msa_meridian_freight.pdf.md (Section 12.3(c))“in the event of a Change of Control of Provider, Customer may terminate this Agreement, effective immediately, by delivering written notice of such election to Provider (or its successor) at any time within sixty (60) days following the later of (i) the closing of the Change of Control or (ii) Customer's receipt of the notice required under Section 12.3(b). Such termination shall be automatic and effective upon Customer's written election, and shall not require the consent of Provider or its successor, nor shall it be subject to any cure period, transition period, or wind-down obligation.”
Northwind_Logistics/msa_meridian_freight.pdf.md (Section 12.3(d))“Customer's termination right under this Section 12.3 is exercisable in Customer's sole and absolute discretion, is not conditioned on any breach or change in service, and is not subject to any limitation, cap, or carve-out.”
Northwind_Logistics/cap_table_summary.pdf.md (Section 5.3)“the Meridian Freight Corporation Master Services Agreement, §12.3 (Change of Control), grants the customer rights upon a Change of Control of Provider as defined in §5.1 above. The consummation of the Transaction is expected to constitute a Change of Control for purposes of, and may trigger rights under, such customer agreements.”
Northwind_Logistics/arr_schedule.xlsx.md (Sheet 2 — ARR by Customer, Row 1)“Meridian Freight Corporation | Enterprise / 3PL | $12,400,000 | 30.1%”
● P1 Core Route Optimization Engine built by contractor with NO IP assignment — only a non-exclusive license to Northwind ▶
Source: Northwind Logistics | Agent: legal
The Route Optimization Engine — described in the SOW as 'a core differentiating feature of the Platform's transportation-orchestration module' that 'is intended to power high-volume enterprise deployments, including Company's largest enterprise customer accounts' — was built by an independent contractor (Signatory C) under a contractor agreement that contains NO IP assignment and NO work-made-for-hire designation. Northwind received only a non-exclusive, royalty-free license (§6.2). The contractor therefore retains ownership of the source code and algorithms of a core platform component and could license the same IP to competitors. The agreement's own data-room note expressly flags this, contrasting it with Northwind's employee IP agreement under which employees presently assign all work product. This is a material IP ownership gap directly within the deal's stated 'IP ownership of core platform components, including any contractor-built modules' diligence focus. Requires pre-close remediation (obtain a present assignment / work-for-hire confirmation from Signatory C) and likely a specific indemnity/escrow. The route-optimization module is also expressly part of the Meridian, Harbor Foods, and Cobalt subscriptions, magnifying the exposure.
Confidence: high
Northwind_Logistics/contractor_agreement_route_engine.pdf.md (End-of-SOW data-room reviewer note)“This Agreement contains no provision assigning, transferring, or vesting in Company ownership of, or any work-made-for-hire designation with respect to, the intellectual property, source code, algorithms, or other work product created by Contractor in connection with the Services. The only grant in favor of Company is the non-exclusive license set forth in Section 6.2.”
Northwind_Logistics/contractor_agreement_route_engine.pdf.md (Section 6.2 (License to Company))“Contractor hereby grants to Company a non-exclusive, worldwide, royalty-free license to use, reproduce, modify, and incorporate the Deliverables into the Platform and to operate the Platform for Company's business purposes.”
Northwind_Logistics/contractor_agreement_route_engine.pdf.md (Exhibit A SOW §1 (Background and Objective))“the Engine is intended to be incorporated into the Platform”
● P1 GDPR violation: EU driver telemetry (Tidewater) transferred to US sub-processor with no SCCs, no DPA, no Annex 2 listing ▶
Source: Northwind Logistics | Agent: legal
Northwind streams real-time EU driver location/GPS telemetry for the Tidewater (Belgium) tenant to TelemetryWorks Inc., a US sub-processor in Portland, Oregon, for route analytics. Per the company's own sub-processor register this transfer has NO lawful basis: TelemetryWorks is NOT listed in the Tidewater DPA Annex 2 (violating DPA §5.1's prior-notice/approval requirement), there are NO Standard Contractual Clauses on file, no EU-US Data Privacy Framework certification verified, and no executed Article 28 DPA between Northwind and TelemetryWorks. The data flow is active in production and the gap is recorded as 'OPEN — unresolved as of 2026-Q1 review'; all remediation items are 'Not started.' This is a live GDPR Chapter V (international transfer) and Article 28 (sub-processing) violation affecting EU data subjects, exposing the target (and acquirer post-close) to supervisory-authority enforcement and Tidewater contractual claims. Tidewater = $3,100,000 ARR / 7.5% of total ARR. Requires pre-close remediation plan and indemnity.
Confidence: high
Northwind_Logistics/subprocessor_register.pdf.md (Section 3, Row 3 (TelemetryWorks Inc.))“SCCs: none on file. No DPA executed with Northwind covering EU data. No adequacy basis. Transfer mechanism: NONE.”
Northwind_Logistics/subprocessor_register.pdf.md (Section 4.2 (The compliance gaps))“The telemetry data is personal data of EU data subjects (Belgian drivers) transferred from the EEA to the United States. **No EU Standard Contractual Clauses (SCCs) are on file**, no EU–US Data Privacy Framework certification has been verified for TelemetryWorks, and no other Article 46 transfer mechanism is in place. The US transfer currently has **no lawful transfer basis** documented.”
Northwind_Logistics/dpa_tidewater.pdf.md (Section 5.3 (Sub-processing))“Where any Sub-processor is established in, or Processes EU Personal Data from, a country outside the European Economic Area that has not been the subject of an adequacy decision, the Processor shall ensure that such transfer is covered by the Standard Contractual Clauses or another valid transfer mechanism under Chapter V GDPR, and shall list such Sub-processor in Annex 2 together with the applicable transfer safeguard.”
◆ P2 Harbor Foods (16.5% of ARR) holds 30-day termination-for-convenience right with pro-rata refund ▶
Source: Northwind Logistics | Agent: legal
Termination subtype: Termination for Convenience (TfC), unilateral right held by the Customer (Harbor Foods). Harbor may terminate the entire agreement for convenience without cause on only 30 days' notice, with a pro-rata refund of prepaid fees and no early-termination fee or penalty. Harbor Foods is $6,800,000 ARR (16.5% of total ARR). Per legal severity calibration, a TfC clause is normally a P2 valuation concern, but escalates to P1 when TfC affects >10% of revenue with <90-day notice — both conditions are met here (16.5% revenue; 30-day notice). This is non-committed, at-risk ARR that lowers revenue quality/RPO certainty and should factor into ASC 606 RPO and purchase-price/earn-out analysis. The ARR schedule also notes the resulting refund liability is 'not currently reserved.'
Confidence: high
Northwind_Logistics/msa_harbor_foods.pdf.md (Section 10.4 (Termination for Convenience by Customer))“Customer may terminate this Agreement, in whole, for convenience and without cause at any time upon thirty (30) days' prior written notice to Provider. In the event of such termination for convenience, Provider shall refund to Customer, within thirty (30) days following the effective date of termination, a pro-rata portion of any Prepaid Fees attributable to the period from and after the effective date of termination through the end of the then-current term. No early-termination fee, penalty, or wind-down charge shall be payable by Customer in connection with a termination under this Section 10.4.”
Northwind_Logistics/arr_schedule.xlsx.md (Sheet 4 §4.2 (Other Recognition Notes))“Harbor Foods ($6.8M):** Annual billing; subject to pro-rata refund on termination for convenience (see MSA §10.4) — refund liability not currently reserved.”
◆ P2 Granite Manufacturing CoC requires counterparty consent to assign (consent not unreasonably withheld); no termination ri ▶
Source: Northwind Logistics | Agent: legal
CoC subtype: consent-required (for assignment), with a notification component. Granite MSA §10.2 requires the Provider undergoing a Change of Control to notify Granite within 30 days and permits assignment to the acquirer only upon Granite's prior written consent, 'which consent shall not be unreasonably withheld, conditioned, or delayed,' and consent may reasonably be withheld only where the acquirer is a direct competitor or financially incapable. Critically, the clause states 'A Change of Control shall not, by itself, give either Party any right to terminate this Agreement.' Granite = $4,500,000 ARR (10.9%). Because Northwind survives as the contracting entity in a stock acquisition (no assignment of the contract is strictly required), the consent standard is reasonable, the buyer is not a competitor, and there is no termination right, this is a manageable P2 (notification + reasonable consent) rather than P1. Obtain Granite consent/acknowledgement as a routine pre-close integration step.
Confidence: high
Northwind_Logistics/msa_granite_manufacturing.pdf.md (Section 10.2 (Change of Control))“The Party undergoing the Change of Control may assign this Agreement to the acquiring or surviving entity **upon the prior written consent of the other Party, which consent shall not be unreasonably withheld, conditioned, or delayed.** For purposes of this Section 10.2, it shall be deemed reasonable for the non-assigning Party to withhold consent only where the acquiring or surviving entity is a direct competitor of such non-assigning Party or is unable to demonstrate the financial and operational capacity to perform the obligations under this Agreement. **A Change of Control shall not, by itself, give either Party any right to terminate this Agreement.**”
◆ P2 Acquisition triggers Series B protective provision requiring investor consent to change of control ▶
Source: Northwind Logistics | Agent: legal
The Series B Preferred protective provisions include a consent right over change of control and sale of all/substantially all assets. The cap table confirms the Summit transaction constitutes a Change of Control under the Certificate of Incorporation and Series B Stock Purchase Agreement. Closing therefore requires Series B investor consent (Investor Entity X holds 15.59% fully-diluted; founders hold 49.54% — no single majority holder). This is routine deal-mechanics requiring shareholder/preferred-stockholder approval; manageable as a closing condition (P2), not a deal risk on its own. Underlying Certificate of Incorporation and Series B SPA (Exhibits C and D) are referenced but not present in the data room — see gaps.
Confidence: medium
Northwind_Logistics/cap_table_summary.pdf.md (Section 4 (Series B Preferred — Key Terms, Protective Provisions))“Customary; includes consent for change of control, sale of all/substantially all assets, and amendment of Certificate of Incorporation”
Northwind_Logistics/cap_table_summary.pdf.md (Section 5.2)“The proposed acquisition by Summit Industrial Group, LLC of more than fifty percent (50%) of the Company's outstanding equity (and/or substantially all of its assets) **constitutes a Change of Control** under the foregoing definition.”
○ P3 Harbor Foods MSA permits assignment in M&A without consent; CoC gives no termination right (favorable) ▶
Source: Northwind Logistics | Agent: legal
CoC subtype: notification-style permitted assignment (favorable to acquirer). Harbor Foods §12.1 allows either party to assign the agreement without consent in connection with a merger/acquisition/reorganization on written notice, and expressly states a change of control of Provider gives Customer no termination right. This is acquirer-favorable and informational. (Note: Harbor's separate TfC right under §10.4 is the material item — reported as P1 above.)
Confidence: high
Northwind_Logistics/msa_harbor_foods.pdf.md (Section 12.1 (Assignment))“either Party may assign this Agreement, upon written notice and without consent, in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets. For the avoidance of doubt, a change of control of Provider shall not give rise to any right of Customer to terminate this Agreement.”
○ P3 Standard mutual liability caps (12-month fees) across enterprise MSAs ▶
Source: Northwind Logistics | Agent: legal
All four enterprise customer contracts (Meridian §10.2, Harbor §11.2, Granite §11.2, and the Cobalt order form via incorporated MSA) cap each party's aggregate liability at the fees paid/payable in the 12 months preceding the claim, with standard carve-outs for confidentiality breach, indemnification, and gross negligence/willful misconduct. These are market-standard mutual caps; informational, no action required. The contractor agreement (§8.2) caps the contractor's liability at the total fixed fee ($185,000) — low relative to the IP exposure noted above.
Confidence: high
Northwind_Logistics/msa_meridian_freight.pdf.md (Section 10.2)“EACH PARTY'S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT SHALL NOT EXCEED THE FEES PAID OR PAYABLE BY CUSTOMER IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM.”
Northwind_Logistics/contractor_agreement_route_engine.pdf.md (Section 8.2)“CONTRACTOR'S AGGREGATE LIABILITY UNDER THIS AGREEMENT SHALL NOT EXCEED THE TOTAL FIXED FEE PAID HEREUNDER.”
○ P3 Employee IP assignment standard form is robust (present assignment + work-for-hire) but applies only to employees ▶
Source: Northwind Logistics | Agent: legal
Northwind's standard-form Employee Proprietary Information and Inventions Assignment Agreement contains a strong present assignment of all Company Inventions (§3.1) and a work-made-for-hire clause (§3.2), and is assignable by the Company to a successor without employee consent (§8.6) — favorable for the acquirer. The agreement's own scope note confirms this assignment does NOT extend to non-employee contractors absent an equivalent contractor assignment, which is precisely the gap in the Route Optimization Engine contractor agreement (reported P1 above). Informational; the form itself is sound.
Confidence: high
Northwind_Logistics/employment_ip_agreement.pdf.md (Section 3.1 (Present Assignment))“Employee hereby irrevocably assigns, transfers, and conveys to the Company all right, title, and interest, throughout the world and in perpetuity, in and to all Company Inventions and any and all associated intellectual property rights”
Northwind_Logistics/employment_ip_agreement.pdf.md (Note on Scope)“the present-tense assignment in Section 3 above does **not** automatically extend to non-employee contractors unless an equivalent assignment is executed in the applicable contractor agreement.”
Finance
▲ P0 Largest customer (Meridian, 30.1% of ARR) holds unconditional immediate CoC termination right triggered by this acquisit ▶
Source: Northwind Logistics | Agent: finance
The Meridian Freight MSA (§12.3) grants Customer the right to terminate immediately upon a Change of Control of Provider, in its 'sole and absolute discretion,' with no cure period, no cap, and no carve-out, exercisable within 60 days of closing/notice. The cap_table_summary confirms the Summit acquisition 'constitutes a Change of Control' and 'may trigger rights under' this agreement. Meridian is the single largest customer at $12,400,000 ARR (30.1% of total $41.2M ARR per the ARR schedule). From a finance lens this places 30.1% of ARR at risk of unilateral loss at closing, plus a contractual obligation to refund prepaid fees pro-rata for the unused portion of the then-current annual period. This exceeds the 20%-revenue / no-cure CoC threshold for a deal-stopper and warrants pre-close protection (customer reaffirmation/consent, escrow, or price adjustment). Legal owns the clause analysis; this finding quantifies the revenue-at-risk and refund exposure.
Confidence: high
Northwind_Logistics/msa_meridian_freight.pdf.md (§12.3(c)-(d) Change of Control of Provider)“in the event of a Change of Control of Provider, Customer may terminate this Agreement, effective immediately, by delivering written notice of such election to Provider (or its successor) at any time within sixty (60) days following the later of (i) the closing of the Change of Control or (ii) Customer's receipt of the notice required under Section 12.3(b). Such termination shall be automatic and effective upon Customer's written election, and shall not require the consent of Provider or its successor, nor shall it be subject to any cure period, transition period, or wind-down obligation.”
Northwind_Logistics/arr_schedule.xlsx.md (Sheet 2 — ARR by Customer, Row 1 (Meridian Freight Corporation))“| 1 | Meridian Freight Corporation | Enterprise / 3PL | $12,400,000 | 30.1% | Annual, in advance | 2027-12-31 |”
Northwind_Logistics/cap_table_summary.pdf.md (§5.3 Cross-Reference — Customer Agreements)“The consummation of the Transaction is expected to constitute a Change of Control for purposes of, and may trigger rights under, such customer agreements.”
● P1 Cobalt $28.8M prepaid recognized front-loaded in Year 1 rather than ratably — overstates revenue/ARR quality; possible r ▶
Source: Northwind Logistics | Agent: finance
Management's own FP&A note flags that the Cobalt Retail 36-month, $28,800,000 prepaid arrangement (cash collected in full 2025-01-15) was recognized with a front-loaded Year-1 tranche instead of ratably over the 36-month service period. Straight-line recognition would be ~$9,600,000/yr (~$800,000/month), and deferred revenue at 2026-03-31 should reflect ~21 unconsumed months (~$16,800,000). The current treatment overstates recognized revenue and the durability of in-period ARR, and the board deck characterizes the prepayment as a positive boost to 'in-period revenue.' Cobalt is 23.3% of ARR ($9.6M). This requires buyer-side confirmation of ASC 606 performance-obligation timing and restatement of recognized vs. deferred balances; a price/quality-of-earnings adjustment may be warranted.
Confidence: high
Northwind_Logistics/arr_schedule.xlsx.md (Sheet 4 §4.1 — FP&A recognition note (FLAGGED FOR REVIEW))“The Cobalt $28.8M / 36-month prepaid arrangement was recognized with a **front-loaded Year-1 tranche** rather than **ratably over the 36-month service period**. Under a ratable basis, recognized revenue would approximate $9,600,000 per annum ($800,000/month) straight-line. The current treatment recognizes a disproportionate share in Year 1 (FY2025), which **overstates recognized revenue and ARR quality** relative to the ratable/straight-line method customary for over-time SaaS subscription delivery.”
Northwind_Logistics/order_form_cobalt_retail.pdf.md (§4.3 Prepaid Billing / §4.5 Invoice and Collection)“the **entire Total Contract Value of $28,800,000 is payable in a single up-front installment** covering the full 36-month Initial Term.”
Northwind_Logistics/board_deck_excerpt.pdf.md (Slide 4 — Business Highlights)“a **$28.8M total contract value** (36-month term) **invoiced and cash-collected in full in January 2025**. Management views this as a landmark validation of the platform and a meaningful boost to in-period revenue.”
● P1 High customer concentration: Top-1 30.1% and Top-3 69.9% of ARR; durability hinges on three enterprise contracts ▶
Source: Northwind Logistics | Agent: finance
The ARR schedule reports Top-1 concentration of 30.1% (Meridian), Top-3 of 69.9% (Meridian + Cobalt + Harbor = $28.8M), and Top-5 of 88.3%. Management's own FP&A note states Top-1 sits at/above the 30% internal threshold and Top-3 indicates limited diversification. While below the absolute deal-killer thresholds (single >40%, Top-3 >70% — Top-3 here is 69.9%, marginally under), the concentration is material and is compounded by the Meridian CoC termination right (see related P0) and the Harbor termination-for-convenience right. Buyer should treat the top-3 cohort renewal/term risk as a diligence and deal-protection priority.
Confidence: high
Northwind_Logistics/arr_schedule.xlsx.md (Sheet 1 §1.1 Headline Metrics and §2.3 Concentration Analysis)“Top-1 customer concentration of 30.1% sits at/above the 30% internal concentration threshold. Top-3 of 69.9% indicates limited revenue diversification across the enterprise book.”
◆ P2 Core route-optimization engine IP not assigned to Company (only non-exclusive license) — valuation/asset-quality risk ▶
Source: Northwind Logistics | Agent: finance
The Route Optimization Engine — described as 'a core differentiating feature' powering the largest enterprise deployments — was built by an independent contractor for a fixed fee of $185,000. The agreement grants Company only a non-exclusive license (§6.2) and contains NO IP assignment or work-made-for-hire designation, in contrast to the employee PIIA's present assignment. From a finance/valuation lens, a core revenue-generating asset of the platform is not owned outright, creating asset-quality and potential remediation-cost exposure (re-licensing / buy-out / rebuild). Legal/IP owns the ownership-defect severity; flagged here for valuation impact and cross-referenced.
Confidence: high
Northwind_Logistics/contractor_agreement_route_engine.pdf.md (Exhibit A note (data-room reviewer reference) and §6.2 License to Company)“This Agreement contains no provision assigning, transferring, or vesting in Company ownership of, or any work-made-for-hire designation with respect to, the intellectual property, source code, algorithms, or other work product created by Contractor in connection with the Services. The only grant in favor of Company is the non-exclusive license set forth in Section 6.2.”
Northwind_Logistics/contractor_agreement_route_engine.pdf.md (§3.1 Fixed Fee)“Company shall pay Contractor a fixed fee of **One Hundred Eighty-Five Thousand U.S. Dollars ($185,000.00)**”
○ P3 Cobalt renewal uplift capped at 5%; Cobalt mid-term price held firm — standard pricing terms ▶
Source: Northwind Logistics | Agent: finance
The Cobalt order form holds the $9,600,000 annual fee firm for the full 36-month term with no mid-term escalation, and caps renewal uplift at 5%. These are standard, customer-favorable but unremarkable pricing terms with no adverse financial impact; noted for completeness.
Confidence: high
Northwind_Logistics/order_form_cobalt_retail.pdf.md (§5.2 Renewal / §6.2 Price Hold)“Fees for any Renewal Term shall be the then-current Initial Term annual fee plus an uplift not to exceed five percent (5%), unless otherwise agreed in writing.”
Commercial
● P1 Harbor Foods (16.5% of ARR) holds termination-for-convenience right on 30 days' notice with pro-rata refund; refund liab ▶
Source: Northwind Logistics | Agent: commercial
The Harbor Foods MSA §10.4 gives the customer an unconditional right to terminate for convenience and without cause at any time on only 30 days' written notice, with a pro-rata refund of prepaid fees and no early-termination fee or penalty. Harbor Foods represents $6,800,000 / 16.5% of total ARR. Under the commercial calibration, termination-for-convenience on a >10%-revenue customer with <90-day notice is a P1 'at-risk ARR' valuation concern requiring deal protection. Compounding the exposure, the ARR schedule notes the pro-rata refund liability on Harbor Foods is 'not currently reserved.' Harbor also auto-renews in 1-year terms with a 60-day non-renewal window, so the relationship is non-committed beyond the current term. The Harbor MSA §12.1 expressly provides that a change of control of Provider does NOT give a termination right (unlike Meridian), so the CoC exposure here is limited to the standing TfC right.
Confidence: high
Northwind_Logistics/msa_harbor_foods.pdf.md (Section 10.4 Termination for Convenience by Customer)“Customer may terminate this Agreement, in whole, for convenience and without cause at any time upon thirty (30) days' prior written notice to Provider. In the event of such termination for convenience, Provider shall refund to Customer, within thirty (30) days following the effective date of termination, a pro-rata portion of any Prepaid Fees attributable to the period from and after the effective date of termination through the end of the then-current term.”
Northwind_Logistics/arr_schedule.xlsx.md (Sheet 4.2 Other Recognition Notes (Harbor Foods))“**Harbor Foods ($6.8M):** Annual billing; subject to pro-rata refund on termination for convenience (see MSA §10.4) — refund liability not currently reserved.”
▲ P0 Meridian Freight (30.1% of ARR) holds unconditional immediate termination right triggered by Summit's acquisition, no cu ▶
Source: Northwind Logistics | Agent: commercial
The Meridian Freight MSA §12.3 grants the customer a unilateral right to terminate effective immediately upon a Change of Control of Northwind, exercisable in Meridian's 'sole and absolute discretion,' not conditioned on any breach, not subject to any cure or wind-down period, within 60 days of the closing/notice. The cap table summary §5.2 confirms that Summit's acquisition of >50% equity 'constitutes a Change of Control' under the very definition keyed to MSA §12.3. Meridian is the single largest customer at $12,400,000 / 30.1% of total ARR (well above the 20% deal-stopper threshold). Upon such termination Northwind must refund prepaid fees pro-rata and is owed no transition/continuation revenue. This is the precise pattern of a >20%-revenue customer with a no-cure termination right activated by the transaction itself. A reasonable acquirer would require a customer consent/standstill or reaffirmation as a closing condition, an indemnity/escrow, or a purchase-price adjustment. Note: the management board deck (Slide 8) affirmatively represents that 'No customer-termination, change-of-control, or contract-portability items are flagged,' which is contradicted by this clause (see separate finding).
Confidence: high
Northwind_Logistics/msa_meridian_freight.pdf.md (Section 12.3(c)-(d) Change of Control of Provider)“in the event of a Change of Control of Provider, Customer may terminate this Agreement, effective immediately, by delivering written notice of such election to Provider (or its successor) at any time within sixty (60) days following the later of (i) the closing of the Change of Control or (ii) Customer's receipt of the notice required under Section 12.3(b). Such termination shall be automatic and effective upon Customer's written election, and shall not require the consent of Provider or its successor, nor shall it be subject to any cure period, transition period, or wind-down obligation.”
Northwind_Logistics/msa_meridian_freight.pdf.md (Section 12.3(d))“Customer's termination right under this Section 12.3 is exercisable in Customer's sole and absolute discretion, is not conditioned on any breach or change in service, and is not subject to any limitation, cap, or carve-out. Upon such termination, Customer shall have no obligation to pay any fees for periods following the effective date of termination, Provider shall refund any prepaid fees on a pro-rata basis for the unused portion of the then-current annual period”
Northwind_Logistics/cap_table_summary.pdf.md (Section 5.2-5.3 Change of Control)“The proposed acquisition by Summit Industrial Group, LLC of more than fifty percent (50%) of the Company's outstanding equity (and/or substantially all of its assets) **constitutes a Change of Control** under the foregoing definition.”
Northwind_Logistics/arr_schedule.xlsx.md (Sheet 2.1 ARR by Customer, Row 1)“| 1 | Meridian Freight Corporation | Enterprise / 3PL | $12,400,000 | 30.1% | Annual, in advance | 2027-12-31 |”
● P1 Cobalt Retail (23.3% of ARR, $28.8M prepaid) governed by an MSA dated Dec 18 2024 that is absent from the data room ▶
Source: Northwind Logistics | Agent: commercial
The Cobalt Retail order form (NW-OF-2025-0007) is expressly governed by and incorporates by reference a 'Master Services Agreement between Provider and Customer dated December 18, 2024' that does not appear anywhere in the data room — only the order form is present. Cobalt is the second-largest customer at $9,600,000 / 23.3% of ARR with a $28,800,000 prepaid 36-month TCV (cash-collected in full Jan 2025). Because the governing MSA is missing, the change-of-control, termination, SLA, liability, indemnity, and refund terms applicable to nearly a quarter of ARR cannot be assessed. The order form selectively reproduces only renewal/termination-for-cause/governing-law clauses and is silent on CoC. Given Meridian's MSA contains a severe CoC termination right, the un-reviewed Cobalt MSA represents material undisclosed CoC/refund exposure on a fully-prepaid account. Buyer must obtain the executed Cobalt MSA before close. (Also recorded as a gap.)
Confidence: high
Northwind_Logistics/order_form_cobalt_retail.pdf.md (Header / MSA Reference)“**MSA Reference:** Master Services Agreement between Provider and Customer dated December 18, 2024 ("MSA")”
Northwind_Logistics/order_form_cobalt_retail.pdf.md (Section 4.5 Invoice and Collection)“Invoice No. NW-INV-2025-0021 in the amount of **$28,800,000** was issued on January 15, 2025 and **paid and cash-collected in full on January 15, 2025**.”
Northwind_Logistics/arr_schedule.xlsx.md (Sheet 2.1 ARR by Customer, Row 2)“| 2 | Cobalt Retail Group | Enterprise / Shipper | $9,600,000 | 23.3% | 36-mo prepaid (collected 2025-01-15) | 2027-12-31 |”
◆ P2 High customer concentration: top-1 30.1%, top-3 69.9%, top-5 88.3% of ARR ▶
Source: Northwind Logistics | Agent: commercial
The ARR schedule reports top-1 customer concentration at 30.1% (Meridian), top-3 at 69.9% (Meridian + Cobalt + Granite [sic: Harbor]), and top-5 at 88.3%, against an internal 30% concentration threshold that the top-1 account meets/exceeds. The long-tail is only 11.7% across 47 SMB accounts. This limited revenue diversification amplifies the impact of the contract-level termination/renewal risks flagged for Meridian (P0 CoC) and Harbor (P1 TfC): a material share of ARR is concentrated in a small number of accounts that individually hold exit rights. Concentration sits just below the >40%-single-customer / >70%-top-3 deal-killer thresholds, so it is a material valuation/durability concern (P2) rather than a standalone deal-stopper. Defer ARR-quality and revenue-recognition durability analysis to the Finance agent.
Confidence: high
Northwind_Logistics/arr_schedule.xlsx.md (Sheet 1.1 Headline Metrics & Sheet 2.3 Concentration Analysis)“| Top-1 customer concentration | **30.1%** |
| Top-3 customer concentration | **69.9%** |
| Top-5 customer concentration | 88.3% |”
Northwind_Logistics/arr_schedule.xlsx.md (Sheet 2.3 FP&A note (concentration))“Top-1 customer concentration of 30.1% sits at/above the 30% internal concentration threshold. Top-3 of 69.9% indicates limited revenue diversification across the enterprise book.”
◆ P2 Management board deck affirmatively misstates CoC/termination exposure on largest customer ▶
Source: Northwind Logistics | Agent: commercial
The Q1 2026 board deck (Slide 8) represents that 'No customer-termination, change-of-control, or contract-portability items are flagged in this excerpt' and characterizes top-account concentration as 'manageable' and 'well-mitigated by contract duration.' This directly contradicts the executed Meridian MSA §12.3 (immediate, sole-discretion CoC termination on 30.1% of ARR) and the Harbor MSA §10.4 (30-day TfC on 16.5% of ARR) — and the company's own cap-table summary §5.3 expressly cross-references the Meridian CoC trigger. The board deck is internal DD-output/reference material, but the gap between the management narrative ('high-switching-cost,' 'no material near-term revenue risk') and the contract terms is itself a diligence red flag bearing on the reliability of management representations. Buyer should reconcile the management view against the contracts and seek reps/warranties coverage.
Confidence: high
Northwind_Logistics/board_deck_excerpt.pdf.md (Slide 8 Key Risks & Watch Items)“*No customer-termination, change-of-control, or contract-portability items are flagged in this excerpt.*”
Northwind_Logistics/board_deck_excerpt.pdf.md (Slide 6 Customer Concentration: Management View)“with the two largest accounts (Meridian and Cobalt, together 53.4% of ARR) under multi-year terms extending into 2027, **the concentration profile is well-mitigated by contract duration** and presents no material near-term revenue risk.”
Northwind_Logistics/cap_table_summary.pdf.md (Section 5.3 Cross-Reference Customer Agreements)“the **Meridian Freight Corporation Master Services Agreement, §12.3 (Change of Control)**, grants the customer rights upon a Change of Control of Provider as defined in §5.1 above. The consummation of the Transaction is expected to constitute a Change of Control for purposes of, and may trigger rights under, such customer agreements.”
◆ P2 Granite Manufacturing (10.9% of ARR) does NOT auto-renew; requires affirmative mutual written renewal 30 days before Feb ▶
Source: Northwind Logistics | Agent: commercial
Unlike the other enterprise contracts, the Granite Manufacturing MSA §2.2 does not auto-renew: it renews only upon mutual written agreement executed at least 30 days before the then-current expiration, and §9.3 bars termination for convenience during the initial term. The two-year initial term expires February 28, 2027. Granite is $4,500,000 / 10.9% of ARR. The affirmative-renewal mechanic creates renewal/churn risk on >10% of ARR roughly 9 months post the expected Q3 2026 close — there is no contractual continuation absent a fresh negotiation, and no renewal evidence is in the data room. Granite's CoC clause (§10.2) requires consent (not to be unreasonably withheld) for assignment and provides no termination right on CoC, so the renewal mechanic is the principal commercial risk here.
Confidence: high
Northwind_Logistics/msa_granite_manufacturing.pdf.md (Section 2.2 Renewal)“this Agreement shall renew for successive one (1) year periods ... only upon the mutual written agreement of the Parties executed not less than thirty (30) days prior to the then-current expiration date. For the avoidance of doubt, this Agreement does not auto-renew absent such written agreement.”
Northwind_Logistics/msa_granite_manufacturing.pdf.md (Section 2.1 Initial Term)“continue for a period of **two (2) years**, expiring on **February 28, 2027** (the "**Initial Term**")”
○ P3 Granite MSA permits customer to withhold consent to CoC assignment if acquirer is a 'direct competitor' ▶
Source: Northwind Logistics | Agent: commercial
The Granite MSA §10.2 allows assignment to the acquiring/surviving entity on a CoC only with the other party's prior written consent, not to be unreasonably withheld, but expressly deems it reasonable to withhold consent where the acquirer 'is a direct competitor' of the customer or cannot demonstrate financial/operational capacity. Summit Industrial Group operates fleet/logistics operations (per the acquirer overview), so there is a residual risk Granite could argue Summit is a competitor and withhold consent on 10.9% of ARR. A CoC does not by itself give a termination right under this MSA, so this is a consent/assignment risk (P2), not a termination right. Buyer should confirm Granite consent and that Summit is not deemed a 'direct competitor.'
Confidence: medium
Northwind_Logistics/msa_granite_manufacturing.pdf.md (Section 10.2 Change of Control)“it shall be deemed reasonable for the non-assigning Party to withhold consent only where the acquiring or surviving entity is a direct competitor of such non-assigning Party or is unable to demonstrate the financial and operational capacity to perform the obligations under this Agreement. **A Change of Control shall not, by itself, give either Party any right to terminate this Agreement.**”
○ P3 Differing SLA uptime commitments and capped service-credit exposure across enterprise contracts ▶
Source: Northwind Logistics | Agent: commercial
Uptime commitments and service-credit remedies vary by customer: Meridian 99.9% with credits up to 10% of monthly fee (Exhibit B); Cobalt 99.9% (order form 2.5); Harbor 99.5% with 5% per 0.5% shortfall capped at 25% of monthly fee; Granite 99.5% with 5% per 0.5% capped at 25% per quarter. In each MSA service credits are the customer's sole and exclusive remedy, capping financial downside. These are standard SaaS SLA terms with bounded exposure; noted for completeness and integration planning. No SLA breach history or uptime evidence is in the data room (see gap).
Confidence: high
Northwind_Logistics/msa_meridian_freight.pdf.md (Exhibit B Service Level Addendum & Section 2.3)“Service credits, where applicable, shall be Customer's sole and exclusive remedy for any failure to meet the committed uptime.”
Northwind_Logistics/msa_harbor_foods.pdf.md (Exhibit A Service Level Agreement (Summary))“| Service Credit | 5% of monthly fee per 0.5% below 99.5%, capped at 25% |”
○ P3 Cobalt order form auto-renews 12-month terms with capped 5% uplift; 90-day non-renewal notice ▶
Source: Northwind Logistics | Agent: commercial
The Cobalt order form (incorporating MSA §11.2) auto-renews for successive 12-month terms unless 90 days' written non-renewal notice, with renewal fees capped at a 5% uplift over the current annual fee, and a firm price-hold (no mid-term escalation) for the 36-month initial term. Standard, customer-favorable-but-routine renewal mechanics on a prepaid account through 2027-12-31; informational. Note the underlying governing MSA itself is missing (see P1 finding/gap).
Confidence: high
Northwind_Logistics/order_form_cobalt_retail.pdf.md (Section 5.2 Renewal)“automatically renew for successive twelve (12) month renewal terms (each, a "Renewal Term") unless either party provides written notice of non-renewal to the other party **at least ninety (90) days prior to the end of the then-current term**. Fees for any Renewal Term shall be the then-current Initial Term annual fee plus an uplift not to exceed five percent (5%)”
Product & Tech
● P1 Unlawful US transfer of EU driver telemetry to unauthorized sub-processor (TelemetryWorks) with no DPA, no SCCs, no tran ▶
Source: Northwind Logistics | Agent: producttech
Northwind's own Sub-Processor Register (2026-Q1, status OPEN) discloses that the platform streams real-time driver location/GPS telemetry and trip metadata for the EU customer Tidewater (Belgian drivers) to TelemetryWorks Inc., hosted in Portland, Oregon, USA. Per the register this engagement has (a) NO Article 28 DPA on file, (b) NO EU Standard Contractual Clauses or other Article 46 transfer mechanism, and (c) is NOT listed in the Tidewater DPA Annex 2 of approved sub-processors. This is an active, ongoing transfer of EU personal data to a third country with no lawful transfer basis — a direct breach of Tidewater DPA Section 5 (Sub-Processing) and Section 6 (International Transfers), and of GDPR Chapter V. It also contradicts the DPA's own Annex 3 representation that no sub-processor is located outside the EEA. The data subjects are limited to the Tidewater tenant (~7.5% of ARR), the company has logged the gap for remediation (SCCs/DPA not started), and the exposure is remediable pre-close — hence P1 rather than P0 — but it warrants a specific GDPR-liability indemnity/escrow and confirmed remediation as a condition. The root cause is a process failure: TelemetryWorks was onboarded by Platform Engineering in 2025 outside the DPO sub-processor-approval workflow.
Confidence: high
Northwind_Logistics/subprocessor_register.pdf.md (Section 3, Inventory Row 3 (TelemetryWorks Inc.), Contract/SCC Status column)“SCCs: none on file. No DPA executed with Northwind covering EU data. No adequacy basis. Transfer mechanism: NONE.”
Northwind_Logistics/subprocessor_register.pdf.md (Section 4.1 — Flagged Gap (Row 3))“Northwind's platform streams real-time driver location/GPS telemetry and trip metadata for Tidewater's fleet to **TelemetryWorks Inc.**, a sub-processor hosted in Portland, Oregon, USA.”
Northwind_Logistics/dpa_tidewater.pdf.md (Annex 3 — Standard Contractual Clauses)“Status as of the Effective Date: **No SCCs executed** (no Annex-2 Sub-processor located outside the EEA / an adequate country).”
Northwind_Logistics/dpa_tidewater.pdf.md (Section 5.3 (Sub-Processing))“the Processor shall ensure that such transfer is covered by the Standard Contractual Clauses or another valid transfer mechanism under Chapter V GDPR, and shall list such Sub-processor in Annex 2 together with the applicable transfer safeguard.”
◆ P2 Tidewater DPA Annex 2 sub-processor list does not reconcile with the 2026-Q1 Sub-Processor Register (different entities ▶
Source: Northwind Logistics | Agent: producttech
The two authoritative GDPR governance documents for the same EU tenant do not reconcile. The Tidewater DPA Annex 2 (last updated 14 Jan 2025) lists approved sub-processors as Aurora Cloud Hosting GmbH (Frankfurt), Helvetia Mail Relay AG (Zurich), Brussels Support Partners BV (Antwerpen), and a Northwind EEA branch. The 2026-Q1 Sub-Processor Register instead names CloudHarbor EU GmbH (Frankfurt), MessageRoute SAS (Paris), LedgerPay Ltd (Dublin), HelpDeskNow Inc (Virginia), ArchiveVault EU (Amsterdam), and TelemetryWorks (Portland) — entirely different entity names — yet the register marks several as 'Listed in Tidewater DPA Annex 2.' Additionally, the DPA document is dated and signed 1 March 2025, while the register states the 'Tidewater DPA executed 2024-09-12.' These inconsistencies undermine the reliability of the sub-processor inventory used to verify GDPR Article 28/30 compliance and should be reconciled before relying on either list. Flagged as a data-integrity/compliance concern for post-close remediation; cite both documents.
Confidence: medium
Northwind_Logistics/dpa_tidewater.pdf.md (Annex 2 — Approved Sub-Processors (Last updated 14 January 2025))“| 1 | Aurora Cloud Hosting GmbH | Frankfurt, Germany (EEA) | Primary infrastructure hosting (compute, storage, database) | N/A — within EEA |”
Northwind_Logistics/subprocessor_register.pdf.md (Section 3, Inventory Row 1)“| 1 | **CloudHarbor EU GmbH** | Primary cloud infrastructure / application hosting | Driver identity & contact data, consignee contact data, shipment records | Frankfurt, Germany (EEA) | Yes | **Listed** | DPA executed 2024-08-01; intra-EEA, no transfer mechanism required |”
Northwind_Logistics/subprocessor_register.pdf.md (Section 2 — Key Customer Data Context)“The Tidewater Master Services Agreement incorporates a Data Processing Agreement ("**Tidewater DPA**") executed 2024-09-12.”
◆ P2 Aggressive SLA commitments (99.9% uptime, 1-hour critical response) unverifiable — no architecture, capacity, or uptime- ▶
Source: Northwind Logistics | Agent: producttech
The two largest customer contracts impose demanding service-level commitments: Meridian Freight (30.1% of ARR) requires 99.9% monthly uptime with a 1-hour critical incident response and Premier 24x7 support; Cobalt Retail (23.3% of ARR) requires a 99.9% uptime SLA with 24x5 support. Harbor Foods and Granite require 99.5% with 1-hour / 2-business-hour Severity-1 response. No architecture documentation, capacity plan, uptime/availability history, SOC 2 report, or operational runbook is present in the data room to substantiate that Northwind can technically meet these contractual commitments, and the contracts make service credits the customer's 'sole and exclusive remedy.' Feasibility is therefore unverified — a moderate post-close technical-diligence item; the underlying contractual SLA text is cited, but the supporting operational evidence is absent (see related gaps).
Confidence: medium
Northwind_Logistics/msa_meridian_freight.pdf.md (Exhibit B — Service Level Addendum (Summary))“| Critical Incident Response | 1 hour |”
Northwind_Logistics/msa_meridian_freight.pdf.md (Section 2.3 (Service Levels))“Provider shall use commercially reasonable efforts to make the Platform available with a monthly uptime of at least 99.9%, measured in accordance with the Service Level Addendum attached as **Exhibit B**. Service credits, where applicable, shall be Customer's sole and exclusive remedy for any failure to meet the committed uptime.”
Northwind_Logistics/order_form_cobalt_retail.pdf.md (Section 2, Item 2.5)“Standard Support (24×5) and 99.9% uptime SLA per MSA Exhibit B | Included”
Cybersecurity
● P1 Unlawful cross-border transfer of EU driver personal data to unapproved US sub-processor (TelemetryWorks) ▶
Source: Northwind Logistics | Agent: cybersecurity
Northwind's own Sub-Processor Register (maintained by its Data Protection & Security Office, as of 31 March 2026) discloses an OPEN, unresolved compliance gap: it streams real-time EU (Belgian) driver location/GPS telemetry and identifiers for the Tidewater tenant to TelemetryWorks Inc., hosted in Portland, Oregon, USA. There is (a) no DPA Annex 2 listing/approval for this sub-processor, (b) no EU Standard Contractual Clauses or other Chapter V transfer mechanism on file for the EEA-to-US transfer, and (c) no executed Article 28 DPA between Northwind and TelemetryWorks covering EU personal data. The Tidewater DPA at Section 5.3 expressly requires SCCs or another valid Chapter V mechanism for any non-EEA sub-processor, and Section 5.1 requires 30 days' prior notice/opportunity to object. This is an unremediated processing-without-lawful-transfer-basis exposure affecting all active Tidewater fleet drivers, creating GDPR liability (Northwind remains fully liable for sub-processor obligations under DPA 5.4), potential customer termination/claims, and regulatory enforcement risk. Calibrated P1 (material, requires pre-close remediation/indemnity/escrow) rather than P0 because the data flow is documented, scoped, and remediable, and involves one ~7.5%-of-ARR customer rather than a confirmed third-party breach of the records.
Confidence: high
Northwind_Logistics/subprocessor_register.pdf.md (Section 3, Row 3 (TelemetryWorks Inc.) — Contract/SCC Status)“SCCs: none on file. No DPA executed with Northwind covering EU data. No adequacy basis. Transfer mechanism: NONE.”
Northwind_Logistics/subprocessor_register.pdf.md (Section 4.2 — The compliance gaps)“The telemetry data is personal data of EU data subjects (Belgian drivers) transferred from the EEA to the United States. **No EU Standard Contractual Clauses (SCCs) are on file**, no EU–US Data Privacy Framework certification has been verified for TelemetryWorks, and no other Article 46 transfer mechanism is in place. The US transfer currently has **no lawful transfer basis** documented.”
Northwind_Logistics/dpa_tidewater.pdf.md (Section 5.3 (Sub-Processing))“Where any Sub-processor is established in, or Processes EU Personal Data from, a country outside the European Economic Area that has not been the subject of an adequacy decision, the Processor shall ensure that such transfer is covered by the Standard Contractual Clauses or another valid transfer mechanism under Chapter V GDPR, and shall list such Sub-processor in Annex 2 together with the applicable transfer safeguard.”
◆ P2 Critical sub-processor onboarded outside DPO security-review/approval workflow ▶
Source: Northwind Logistics | Agent: cybersecurity
The Sub-Processor Register records that TelemetryWorks was onboarded by Platform Engineering in 2025 without routing through the DPO sub-processor-approval workflow, which is why it was absent from prior register revisions and the customer DPA Annex 2. This indicates a control weakness in third-party/vendor security governance: engineering teams can stand up production data flows to new vendors (including cross-border PII transfers) without DPO/security review. The remediation tracker shows all corrective items ('Not started' / 'Under discussion'), indicating the governance process has not yet been hardened. Post-close remediation item: enforce mandatory security/DPO review gating for all new sub-processors.
Confidence: high
Northwind_Logistics/subprocessor_register.pdf.md (Section 4.4 — Internal note)“TelemetryWorks was onboarded by the Platform Engineering team in 2025 to improve route-ETA accuracy; the engagement was not routed through the DPO sub-processor-approval workflow, which is why it is absent from both this register's prior revisions and the Tidewater DPA Annex 2.”
Northwind_Logistics/subprocessor_register.pdf.md (Section 5 — Remediation Tracking)“Execute SCCs (EU 2021 modules, controller-to-processor) with TelemetryWorks | DPO / Legal | TBD | Not started”
○ P3 Documented contractual security controls (TOMs) exist only via single-customer DPA, not enterprise-wide certification ▶
Source: Northwind Logistics | Agent: cybersecurity
The strongest security-control evidence in the data room is the technical and organizational measures schedule in the Tidewater DPA Annex 1 (encryption in transit TLS 1.2+ and at rest AES-256, RBAC with quarterly access reviews, MFA for all admin/production access, network segregation, IDS, annual third-party pentest, documented IRP/BCP). These are positive commitments but are contractual representations made to one EU customer, not independently verified by a SOC 2 / ISO 27001 certificate, audit report, or pentest report in the data room. Treat as the security baseline to validate during confirmatory diligence, not as proof of implemented controls.
Confidence: high
Northwind_Logistics/dpa_tidewater.pdf.md (Annex 1 — Technical and Organizational Measures (Art. 32))“1. Encryption of EU Personal Data in transit (TLS 1.2+) and at rest (AES-256).
2. Role-based access control with least-privilege provisioning and quarterly access reviews.
3. Multi-factor authentication for all administrative and production access.”
○ P3 Customer MSAs commit only to 'commercially reasonable' safeguards with no named standard ▶
Source: Northwind Logistics | Agent: cybersecurity
The Harbor Foods, Meridian Freight, and Granite Manufacturing MSAs each obligate Northwind only to 'commercially reasonable' administrative, physical, and technical safeguards 'consistent with industry standards', with no reference to a specific framework (SOC 2, ISO 27001) or defined controls. For an enterprise SaaS handling logistics/PII at $41.2M ARR, the absence of a contractually-named security standard is a routine but notable gap that enterprise acquirers/customers typically expect to be backed by SOC 2 Type II. Informational; relevant to enterprise-customer retention and upsell.
Confidence: high
Northwind_Logistics/msa_harbor_foods.pdf.md (Section 5.2 (Data and Security))“Provider shall maintain commercially reasonable administrative, physical, and technical safeguards designed to protect the security and confidentiality of Customer Data, consistent with industry standards for SaaS providers.”
HR / People
◆ P2 Worker misclassification risk: sole-proprietor contractor performs core platform development under company direction ▶
Source: Northwind Logistics | Agent: hr
Signatory C is engaged as an independent contractor (1099-NEC) to build the Route Optimization Engine, described as 'a core differentiating feature of the Platform.' Several factors create employee-misclassification exposure under IRS/economic-realities and state ABC tests: the contractor must 'personally perform the Services' and cannot subcontract without consent; Company provides 'systems, repositories, and credentials'; Company directs 'scope, requirements, and acceptance criteria'; and the engagement spans a multi-milestone production build integrated into the company's flagship product. While only one worker is affected (below the >20-worker P2 threshold for volume), the misclassification of a worker building core IP carries back-tax, penalty, and benefits-reclassification risk and compounds the IP-ownership exposure (no present assignment in the contractor agreement). Workforce-impact angle; Legal owns enforceability/IP analysis.
Confidence: medium
Northwind_Logistics/contractor_agreement_route_engine.pdf.md (Exhibit A, §6 Key Personnel)“Contractor (Signatory C) shall personally perform the Services and shall not subcontract any portion of the Services without Company's prior written consent.”
Northwind_Logistics/contractor_agreement_route_engine.pdf.md (§1.3 Manner of Performance)“Contractor shall provide Contractor's own equipment, tools, development environment, and materials, except for such Company systems, repositories, and credentials as Company may elect to provide for integration purposes.”
Northwind_Logistics/contractor_agreement_route_engine.pdf.md (§3.4 No Benefits; Taxes)“Contractor acknowledges that Contractor is not an employee of Company and is not entitled to any employee benefits.”
◆ P2 Key-person dependency: single contractor built core Route Optimization Engine with no post-delivery retention or non-com ▶
Source: Northwind Logistics | Agent: hr
The Route Optimization Engine — characterized as a 'core differentiating feature' powering 'high-volume enterprise deployments, including Company's largest enterprise customer accounts' — was designed and built by a single external contractor (Signatory C) who must personally perform the work. The engagement is project-scoped and terminable for convenience on 15 days' notice, with no ongoing employment relationship, no non-compete/non-solicit, and no stay/retention mechanism binding the contractor post-close. This creates a single-point-of-failure for maintenance, defect remediation, and roadmap continuity of a differentiating module, plus a flight risk that the contractor could build a competing engine. Retention/organizational-health angle distinct from the IP-ownership gap.
Confidence: high
Northwind_Logistics/contractor_agreement_route_engine.pdf.md (Exhibit A, §1 Background and Objective)“The Engine is intended to power high-volume enterprise deployments, including Company's largest enterprise customer accounts.”
Northwind_Logistics/contractor_agreement_route_engine.pdf.md (§2.2 Termination for Convenience)“Either Party may terminate this Agreement upon fifteen (15) days' prior written notice to the other Party.”
◆ P2 Standard employee agreement contains no non-compete or non-solicit; at-will employment creates post-close flight risk ▶
Source: Northwind Logistics | Agent: hr
The company's standard Employee Proprietary Information and Inventions Assignment Agreement (Rev. 2024.2, applicable to all regular employees) addresses confidentiality and IP assignment but contains NO non-compete and NO non-solicitation covenant, and confirms employment is strictly at-will. For a software target whose value rests on engineering talent, the absence of restrictive covenants means key engineers and product staff are free to depart (and solicit colleagues/customers) at or after closing with no contractual restraint. Combined with the absence of individual executive/founder retention agreements in the data room (see gap), this elevates talent-retention risk for the acquirer and argues for retention packages or new restrictive covenants as a pre-close/integration item. Workforce-retention angle; Legal owns covenant enforceability.
Confidence: medium
Northwind_Logistics/employment_ip_agreement.pdf.md (§8.1 At-Will Employment)“Nothing in this Agreement shall confer any right to continued employment; Employee's employment with the Company is at-will.”
Northwind_Logistics/employment_ip_agreement.pdf.md (Header / scope)“**Applies to: All regular full-time and part-time employees**”
○ P3 Founder concentration: CEO and co-founder hold 49.54% fully-diluted with no retention terms evidenced in data room ▶
Source: Northwind Logistics | Agent: hr
Signatory A (Founder & CEO) holds 33.03% and Co-Founder Holder Y holds 16.51% fully-diluted (together 49.54%). The CEO is the named signatory and presenter across corporate documents, indicating heavy key-person dependence on the founders. While equity ownership provides some economic alignment through closing, the data room contains no executive employment agreement, no post-close retention/earn-out, and no non-compete for either founder, so continuity of founder leadership after the acquisition is not contractually assured. Flagged as informational pending production of executive agreements (see gap).
Confidence: medium
Northwind_Logistics/cap_table_summary.pdf.md (§3.1 Ownership by Group)“Founders (Signatory A + Co-Founder Holder Y) | 49.54%”
Northwind_Logistics/cap_table_summary.pdf.md (§3 note)“On an as-converted basis the largest single beneficial owner is Signatory A at 33.03%.”
○ P3 Equity compensation pool: 2.15M options granted plus 850K unallocated; vesting/strike detail not in data room ▶
Source: Northwind Logistics | Agent: hr
The cap table shows 2,150,000 granted stock options (9.86% FD) and an 850,000-share unallocated pool (3.90% FD). Option vesting schedules and change-of-control acceleration terms drive employee-retention economics in an acquisition (unvested equity is the primary stay incentive). The summary references 'Exhibit B — Option grant schedule (grant date, strike, vesting)' but that exhibit is not included in the data room, so acceleration triggers and unvested overhang cannot be assessed. Informational; detail requested via gap.
Confidence: high
Northwind_Logistics/cap_table_summary.pdf.md (§2 Authorized & Issued Capital)“| Stock Options (ISO/NSO, granted) | — | 2,150,000 | — |”
Northwind_Logistics/cap_table_summary.pdf.md (§7 Exhibits)“| Exhibit B | Option grant schedule (grant date, strike, vesting) |”
Tax
◆ P2 Multi-state sales/use tax nexus exposure on SaaS revenue with no evidence of collection or reserve ▶
Source: Northwind Logistics | Agent: tax
Northwind is a Delaware C-corp headquartered in Columbus, Ohio, generating $41.2M ARR from SaaS subscriptions to customers across multiple U.S. states — Meridian Freight (New Jersey), Cobalt Retail (Delaware), Harbor Foods (Texas), Granite Manufacturing (Ohio), plus 47 long-tail SMB accounts in various jurisdictions. SaaS/cloud software is a taxable service in several of these states (notably Texas, which taxes SaaS as a data-processing service, and Ohio for business use). Every customer contract shifts the economic burden of sales/use tax to the customer and states fees are 'exclusive of taxes,' but the legal incidence to collect and remit sales tax falls on the seller (Northwind). Post-Wayfair economic-nexus thresholds (commonly $100K revenue / 200 transactions) are very likely exceeded in multiple states given contract sizes ($4.5M–$12.4M each). The data room contains no sales-tax registrations, collection records, nexus study, or reserve. If Northwind has not been collecting/remitting SaaS sales tax where due, the target bears historical uncollected-tax liability plus penalties and interest, which transfers to the buyer in a stock acquisition. Calibrated P2: nexus exposure across 5+ states without reserves; quantification requires a nexus study (see gaps).
Confidence: medium
Northwind_Logistics/msa_harbor_foods.pdf.md (Section 3.4 (Taxes))“Fees are exclusive of all sales, use, value-added, and similar taxes, which shall be the responsibility of Customer, excluding taxes based on Provider's net income.”
Northwind_Logistics/msa_meridian_freight.pdf.md (Section 4.5 (Taxes))“Customer is responsible for all sales, use, and similar taxes associated with its purchase of the services, excluding taxes based on Provider's net income.”
Northwind_Logistics/arr_schedule.xlsx.md (Sheet 1 Headline Metrics; Sheet 2 ARR by Customer)“Total active customer logos | 52”
◆ P2 Undisclosed German/EEA branch operations create permanent-establishment, VAT and transfer-pricing exposure ▶
Source: Northwind Logistics | Agent: tax
The Tidewater Data Processing Addendum discloses that Northwind operates 'intra-group EEA branch operations' in Frankfurt, Germany, performing 'Platform operations and maintenance,' and that the Processor's primary hosting and processing of EU personal data takes place within the EEA (Frankfurt, Germany region). An operating branch performing platform operations/maintenance in Germany is a strong indicator of a permanent establishment (PE) for German corporate income tax purposes, and may trigger German VAT registration obligations and require arm's-length transfer-pricing support for the intra-group services flowing to/from the U.S. parent. The company is presented throughout the data room solely as a Delaware C-corp subject to U.S. corporate income tax (cap table summary), with no mention of a German entity/branch, German tax filings, VAT registration, or transfer-pricing documentation. Separately, Tidewater is an EU (Belgian) customer billed in EUR ($3.1M, ~7.5% of ARR), raising EU VAT treatment questions (place-of-supply / reverse-charge for B2B digital services) that interact with any German fixed establishment. Undocumented foreign operations of this nature create unreserved corporate-tax, VAT and transfer-pricing exposure plus penalty/interest risk. Calibrated P2 pending confirmation of the branch's substance and filing history (see gaps).
Confidence: medium
Northwind_Logistics/dpa_tidewater.pdf.md (Annex 2 — Approved Sub-Processors, Row 4)“Northwind Logistics Software, Inc. (intra-group EEA branch operations)”
Northwind_Logistics/dpa_tidewater.pdf.md (Section 6.3 (International Transfers))“The Processor's primary hosting and Processing of EU Personal Data shall take place within the European Economic Area (Frankfurt, Germany region) save as expressly set out in Annex 2.”
Northwind_Logistics/dpa_tidewater.pdf.md (Section 2.3)“The annual subscription fee payable by the Controller under the Agreement is USD $3,100,000 (representing approximately 7.5% of the Provider's total annual recurring revenue)”
○ P3 Worker-classification risk on Route Optimization Engine contractor engagement ▶
Source: Northwind Logistics | Agent: tax
Northwind engaged Signatory C as an independent contractor for a $185,000 fixed fee to build the core Route Optimization Engine, with the contractor required to personally perform the services and barred from subcontracting without consent, working with company-provided repositories/credentials, and subject to company direction on scope and acceptance. The agreement places all employment/self-employment tax responsibility on the contractor and provides for IRS Form 1099-NEC reporting. The combination of personal-performance requirement, integration of the deliverable into the company's core platform, and company direction creates a worker-misclassification risk; if the IRS or a state agency were to reclassify the engagement as employment, Northwind could face back employment taxes, withholding, and penalties. Modest dollar magnitude ($185K) and a single identified engagement support a P3, but the buyer should confirm whether other contractors are similarly engaged.
Confidence: medium
Northwind_Logistics/contractor_agreement_route_engine.pdf.md (Section 3.4 (No Benefits; Taxes))“Contractor is solely responsible for all federal, state, and local taxes, including self-employment taxes, arising from amounts paid under this Agreement. Company shall report payments on IRS Form 1099-NEC as required by law.”
Northwind_Logistics/contractor_agreement_route_engine.pdf.md (Exhibit A, Section 6 (Key Personnel))“Contractor (Signatory C) shall personally perform the Services and shall not subcontract any portion of the Services without Company's prior written consent.”
○ P3 Cobalt $28.8M up-front prepayment creates significant book-tax timing difference / advance-payment income question ▶
Source: Northwind Logistics | Agent: tax
The Cobalt Retail order was invoiced and cash-collected in full ($28,800,000) on January 15, 2025 for a 36-month service period (2025-2027). For U.S. federal tax purposes, advance payments for services received in 2025 are generally includible in taxable income on receipt, subject only to the limited one-year deferral under IRC §451(c) — a treatment that diverges from the book recognition pattern (the FP&A note flags a front-loaded book recognition that itself differs from straight-line). This produces a material book-tax timing difference and a corresponding deferred-tax position that the buyer should confirm was correctly computed and reflected in the tax provision and estimated payments. Revenue-recognition mechanics themselves are Finance's domain; this finding is limited to the tax-accounting/advance-payment dimension. P3 — a provision/timing item to verify, not a standalone liability.
Confidence: medium
Northwind_Logistics/order_form_cobalt_retail.pdf.md (Section 4.5 (Invoice and Collection))“Invoice No. NW-INV-2025-0021 in the amount of $28,800,000 was issued on January 15, 2025 and paid and cash-collected in full on January 15, 2025.”
Northwind_Logistics/arr_schedule.xlsx.md (Sheet 4.1 — FP&A recognition note)“The Cobalt $28.8M / 36-month prepaid arrangement was recognized with a front-loaded Year-1 tranche rather than ratably over the 36-month service period.”
Regulatory
◆ P2 Date discrepancy in Tidewater DPA execution date between DPA and Sub-Processor Register (2025-03-01 vs 2024-09-12) ▶
Source: Northwind Logistics | Agent: regulatory
The Tidewater DPA document states it was executed on 1 March 2025 (Effective Date of the Agreement and signature dates of both parties). However, the Sub-Processor Register §2 states the Tidewater DPA was 'executed 2024-09-12.' These two company-prepared documents disagree on the execution/effective date of the same DPA. This is a documentary inconsistency that should be reconciled to confirm which DPA version governs and that the controlling DPA Annex 2 is the one being measured against. Moderate/administrative severity — likely a drafting error but warrants confirmation given the live sub-processor compliance gap keyed to Annex 2.
Confidence: medium
Northwind_Logistics/dpa_tidewater.pdf.md (Preamble / Section 11.1)“This DPA takes effect on the Effective Date of the Agreement (1 March 2025) and continues for the **two (2) year** initial term of the Agreement”
Northwind_Logistics/subprocessor_register.pdf.md (Section 2)“The Tidewater Master Services Agreement incorporates a Data Processing Agreement ("**Tidewater DPA**") executed 2024-09-12.”
● P1 Unlawful EU-to-US transfer of EU driver telemetry to TelemetryWorks (no SCCs, no DPA, not in Annex 2) — active GDPR Chap ▶
Source: Northwind Logistics | Agent: regulatory
Northwind streams real-time EU (Belgian) driver location/GPS telemetry and trip metadata for the Tidewater tenant to sub-processor TelemetryWorks Inc., hosted in Portland, Oregon, USA. Per the company's own Sub-Processor Register (2026-Q1, status OPEN/unresolved), this transfer has (a) no SCCs on file, (b) no executed Article 28 DPA between Northwind and TelemetryWorks, (c) no EU-US Data Privacy Framework certification verified, and (d) no other Article 46 transfer mechanism — i.e. NO lawful transfer basis under GDPR Chapter V. Separately, TelemetryWorks is NOT listed in Tidewater DPA Annex 2, so Tidewater was never notified of or given the opportunity to object to this sub-processor as required by DPA §5.1, and the DPA's own §5.3/§6.1 require an SCC or valid Chapter V mechanism for any non-EEA, non-adequate sub-processor. The engagement bypassed the DPO sub-processor-approval workflow. This is an active, in-production processing activity affecting EU data subjects and constitutes a GDPR violation exposing Northwind to supervisory-authority enforcement (Art. 83 fines up to 4% of global turnover) and breach-of-contract/termination exposure under the Tidewater DPA. All four remediation items are 'Not started.' Severity P1 (not P0): it is remediable pre-close via SCC/DPA execution, Tidewater notification, and/or re-routing telemetry to EEA, and Tidewater represents only ~7.5% of ARR.
Confidence: high
Northwind_Logistics/subprocessor_register.pdf.md (Section 3, Row 3 (TelemetryWorks Inc.); Section 4 Flagged Gap)“SCCs: none on file. No DPA executed with Northwind covering EU data. No adequacy basis. Transfer mechanism: NONE.”
Northwind_Logistics/subprocessor_register.pdf.md (Section 4.2(b))“The telemetry data is personal data of EU data subjects (Belgian drivers) transferred from the EEA to the United States. **No EU Standard Contractual Clauses (SCCs) are on file**, no EU–US Data Privacy Framework certification has been verified for TelemetryWorks, and no other Article 46 transfer mechanism is in place. The US transfer currently has **no lawful transfer basis** documented.”
Northwind_Logistics/dpa_tidewater.pdf.md (Section 5.3 (Sub-Processing))“Where any Sub-processor is established in, or Processes EU Personal Data from, a country outside the European Economic Area that has not been the subject of an adequacy decision, the Processor shall ensure that such transfer is covered by the Standard Contractual Clauses or another valid transfer mechanism under Chapter V GDPR, and shall list such Sub-processor in Annex 2 together with the applicable transfer safeguard.”
◆ P2 Sub-processor change-notification obligation to EU customer triggered; Tidewater not notified of TelemetryWorks per DPA ▶
Source: Northwind Logistics | Agent: regulatory
The Tidewater DPA §5.1 grants the controller a 30-day advance notice-and-objection right for any new sub-processor. Northwind's own register confirms TelemetryWorks was onboarded by Platform Engineering without routing through the DPO approval workflow and is absent from DPA Annex 2, meaning the contractual notification right was not honored. Beyond the Chapter V transfer issue (separate finding), this is a standalone contractual data-protection process failure that the acquirer should require be cured (Tidewater notification + Annex 2 update) pre- or shortly post-close. Moderate severity: addressable through standard remediation; remediation item is logged but 'Not started.'
Confidence: high
Northwind_Logistics/dpa_tidewater.pdf.md (Section 5.1)“The Processor shall inform the Controller of any intended addition or replacement of a Sub-processor not less than thirty (30) days in advance, thereby giving the Controller the opportunity to object.”
Northwind_Logistics/subprocessor_register.pdf.md (Section 4.4 Internal note)“the engagement was not routed through the DPO sub-processor-approval workflow, which is why it is absent from both this register's prior revisions and the Tidewater DPA Annex 2.”
○ P3 Incidental EU driver data may reach US-based HelpDeskNow tickets; scope limited to admin-contact SCCs ▶
Source: Northwind Logistics | Agent: regulatory
HelpDeskNow Inc. (Virginia, USA) provides support ticketing and is covered by 2021 EU module SCCs for admin-contact data, with 'driver telemetry out of scope.' The register notes 'incidental driver data if pasted into tickets,' which could place EU driver personal data outside the documented SCC scope on an ad hoc basis. Low severity/informational: the primary transfer mechanism exists for the in-scope data; recommend confirming DLP/process controls prevent driver data entering tickets. Noted for completeness.
Confidence: medium
Northwind_Logistics/subprocessor_register.pdf.md (Section 3, Row 5 (HelpDeskNow Inc.))“Northwind customer-admin support contacts; incidental driver data if pasted into tickets”
ESG
○ P3 ESG governance gap: vendor onboarded outside DPO approval control, indicating internal-control weakness ▶
Source: Northwind Logistics | Agent: esg
The sub-processor register discloses that a US-based data-processing vendor (TelemetryWorks Inc.) was onboarded by Platform Engineering without routing through the Data Protection Officer's sub-processor-approval workflow. While the substantive data-privacy/transfer exposure is for the Legal/Regulatory/Cybersecurity specialists, from an ESG-governance ('G') lens this reflects a control-environment weakness: a defined governance workflow was bypassed by an operating team, and the lapse went undetected across prior register revisions. Relevant to assessing board/management oversight maturity and governance controls in the combined entity. Severity kept at P3 because the privacy substance is owned by other domains and the governance lapse is a single, self-disclosed control deviation.
Confidence: high
Northwind_Logistics/subprocessor_register.pdf.md (Section 4.4 Internal note)“TelemetryWorks was onboarded by the Platform Engineering team in 2025 to improve route-ETA accuracy; the engagement was not routed through the DPO sub-processor-approval workflow, which is why it is absent from both this register's prior revisions and the Tidewater DPA Annex 2.”
Gaps
| Priority | Type | Missing Item | Risk | Why Needed | Request to Company | Agent |
|---|---|---|---|---|---|---|
| P1 | Missing_Doc | Cobalt Retail Group Master Services Agreement (the MSA referenced by Order Form NW-OF-2025-0007, dated December 18, 2024) | Unknown CoC/termination exposure on the single largest cash-collected contract; cannot confirm whether the Summit acquisition triggers any Cobalt consent or termination right, or whether the $28.8M prepayment is refundable on a CoC/termination. | Cobalt is the #2 customer at $9,600,000 ARR (23.3% of total ARR) with a $28.8M prepaid TCV. Only the Order Form is in the data room; it incorporates the underlying MSA by reference but that MSA is absent. Change-of-control, assignment, termination, liability, and IP terms governing 23.3% of revenue cannot be assessed. | Provide the executed Cobalt Retail Group MSA dated December 18, 2024 (and any amendments) referenced in Order Form NW-OF-2025-0007 §9 / MSA Reference line. | legal |
| P2 | Missing_Doc | Tidewater Distribution N.V. Master Services Agreement (the agreement into which the Tidewater DPA is incorporated) | Cannot evaluate Tidewater's termination/CoC rights or its contractual claims arising from the unauthorized US telemetry transfer. | Tidewater is the only EU customer ($3,100,000 ARR, 7.5%) and the subject of an active GDPR transfer violation. The DPA is present but the underlying MSA (with CoC, assignment, termination, liability terms) is not, so the customer's contractual remedies for the GDPR breach and any CoC rights cannot be assessed. | Provide the executed Tidewater Distribution N.V. MSA for cloud freight-management software referenced as dated 1 March 2025 in the DPA. | legal |
| P1 | Missing_Doc | Present IP assignment / work-made-for-hire confirmation from contractor Signatory C for the Route Optimization Engine | Contractor retains ownership of core algorithms/source code and could exploit or license them to competitors; the non-exclusive license is not stated to be irrevocable/perpetual, creating freedom-to-operate and IP-portfolio-strength risk. | The Route Optimization Engine is a core platform component but the contractor agreement grants Northwind only a non-exclusive license with no ownership assignment. An executed assignment is required for Northwind (and the acquirer) to own the IP of a core differentiating feature. | Provide any executed IP assignment, deliverable acceptance with assignment language, or side letter transferring ownership of the Route Optimization Engine work product from Signatory C to Northwind; if none exists, obtain a present assignment pre-close. | legal |
| P2 | Missing_Data | Executed (signed and dated) copies of the Employee Proprietary Information and Inventions Assignment Agreement for key personnel | Cannot confirm that all employees who created platform IP actually executed the assignment; potential gaps in IP chain-of-title for employee-created code. | The employee IP agreement in the data room is a blank standard form with unsigned, undated signature and Exhibit A (Prior Inventions) blocks. To confirm IP chain-of-title for the core platform, executed agreements for founders/engineers (e.g., the CEO and lead architects) are needed. | Provide executed copies of the Employee Proprietary Information and Inventions Assignment Agreement for all founders and engineering personnel, with completed Exhibit A (Prior Inventions). | legal |
| P1 | Missing_Doc | Executed SCCs and Article 28 DPA between Northwind and TelemetryWorks Inc.; updated Tidewater DPA Annex 2 | Ongoing GDPR Chapter V / Article 28 violation; supervisory-authority fines and Tidewater contractual claims; acquirer inherits the exposure at closing. | Required to lawfully transfer EU driver telemetry to the US sub-processor and to satisfy the Tidewater DPA sub-processing/notice obligations. The sub-processor register confirms none exist and all remediation items are 'Not started.' | Provide (or commit to executing pre-close) EU 2021 controller-to-processor SCCs and an Article 28 DPA with TelemetryWorks, a transfer-impact assessment, and the Tidewater Annex 2 update/notification; or confirm telemetry re-routing to EEA-hosted analytics. | legal |
| P2 | Missing_Doc | Certificate of Incorporation (as amended) and Series A/B Preferred Stock Purchase Agreements | Cannot confirm the precise stockholder consent thresholds and protective provisions that condition the acquisition closing. | Referenced as Exhibits C and D to the cap table summary; needed to confirm the exact CoC definition, Series B protective provisions (CoC consent), liquidation preference waterfall, and any drag-along/consent mechanics affecting closing. | Provide the current Certificate of Incorporation (as amended) and the Series A and Series B Preferred Stock Purchase Agreements (cap table Exhibits C and D). | legal |
| P2 | Contradiction | Reconciliation of conflicting Tidewater DPA execution dates | Ambiguity over which DPA version governs and the breach timeline for the TelemetryWorks transfer. | The Tidewater DPA states it is incorporated into an MSA 'dated 1 March 2025' and is signed 1 March 2025, while the sub-processor register states the 'Tidewater DPA executed 2024-09-12.' The correct effective date matters for determining when GDPR obligations (and the unauthorized-transfer breach window) began. | Confirm the correct Tidewater DPA execution date and provide all DPA versions (2024-09-12 and/or 1 March 2025) and Annex 2 revisions. | legal |
| P3 | Missing_Doc | Exclusivity clause search — none found in any customer contract | Low — absence of exclusivity is generally favorable; recorded for completeness. All access grants are expressly 'non-exclusive.' | Standard DD check for exclusivity/sole-provider commitments that could restrict the combined entity. Reviewed all four MSAs and the Cobalt order form. | Confirm no side letters grant any customer exclusivity, MFN, or most-favored pricing rights. | legal |
| P1 | Missing_Doc | Audited financial statements (trailing twelve months) for Northwind Logistics Software, Inc. | Reported revenue and ARR quality cannot be independently verified; risk of overstatement and post-close restatement. | All ARR/revenue figures in the data room are management-prepared and unaudited; the ARR schedule is certified only by the CEO (Signatory A). A TTM audit is needed to validate revenue, particularly given the flagged Cobalt front-loaded recognition and the unreserved Harbor refund liability. | Provide audited (or independently reviewed) financial statements for the trailing twelve months ended 2026-03-31, including the deferred-revenue waterfall. | finance |
| P1 | Missing_Data | GL deferred-revenue waterfall / balance-sheet confirmation of Cobalt unconsumed ~$16.8M deferred balance | Cannot quantify the revenue-quality adjustment or the size of any restatement of the front-loaded Cobalt recognition. | FP&A note recommends confirming the deferred-revenue balance attributable to the Cobalt prepaid arrangement (~$16.8M straight-line) against the GL; needed to quantify the recognized-vs-deferred restatement. | Provide the GL deferred-revenue waterfall as of 2026-03-31 and the ASC 606 performance-obligation memo for the Cobalt arrangement. | finance |
| P2 | Missing_Doc | Insurance program documentation (E&O / professional liability / cyber insurance policies and limits) | Unquantified exposure on indemnity, data-breach, and professional-liability claims with no documented risk transfer. | No insurance, errors-and-omissions, professional-liability, or cyber-insurance requirement or certificate appears in any reviewed contract or financial document. Given SaaS data-processing exposure (GDPR, telemetry) and customer indemnities, the buyer needs the insurance program to assess risk transfer. | Provide current insurance certificates and policy schedules (E&O/professional liability, cyber, general liability) with limits and expiry dates. | finance |
| P1 | Missing_Doc | Executed Cobalt Retail Group Master Services Agreement dated December 18, 2024 | Undisclosed change-of-control termination or pro-rata refund exposure on a fully-prepaid $28.8M arrangement cannot be assessed; if the Cobalt MSA mirrors Meridian's CoC right, an additional 23.3% of ARR could be at risk on close. | The Cobalt order form (23.3% of ARR, $28.8M prepaid) is governed by and incorporates this MSA, but only the order form is in the data room. The MSA contains the CoC, termination, SLA, indemnity, liability, and refund terms for the second-largest customer. | Provide the fully-executed Cobalt Retail Group MSA dated December 18, 2024, including all exhibits, CoC and termination clauses, and any amendments or side letters. | commercial |
| P2 | Missing_Doc | Executed Tidewater Distribution N.V. Master Services Agreement dated 1 March 2025 | Cannot assess whether the EU customer holds CoC/termination rights, and cannot evaluate churn risk compounded by the open GDPR sub-processor transfer violation affecting Tidewater data (see subprocessor_register.pdf). | The Tidewater DPA incorporates by reference an MSA dated 1 March 2025 for $3.1M / 7.5% of ARR (the only EU customer), but the MSA itself is not in the data room. CoC, termination, renewal, and SLA terms for the EU account are unverifiable. | Provide the executed Tidewater Distribution N.V. MSA dated 1 March 2025 and all exhibits/order forms. | commercial |
| P3 | Missing_Doc | Customer contracts / click-through terms for the 47 long-tail SMB accounts (11.7% of ARR) | Cannot verify renewal mechanics, TfC rights, or CoC terms for the long-tail cohort, or confirm enforceability of click-through terms. | 47 SMB accounts totaling $4.8M / 11.7% of ARR are described as 'click-through terms' but no representative agreement or order form is in the data room. | Provide the standard SMB click-through/online terms of service and a sample executed SMB order form. | commercial |
| P3 | Missing_Data | Customer Health Scores / churn-risk dashboard for the enterprise customer cohort | Termination/renewal risks cannot be weighted by likelihood of exercise; reliance on management's 'manageable concentration' assertion only. | Commercial diligence requires cross-referencing contract terms (esp. Meridian CoC and Harbor TfC) against customer health/satisfaction data to assess actual churn propensity. | Provide customer health scores, NPS/CSAT data, support-ticket trends, and any at-risk-account watchlist for the top-5 accounts. | commercial |
| P3 | Missing_Data | Standard rate card / pricing schedule | Cannot evaluate pricing-model risk (per-seat vs enterprise flat) or whether renewal uplift caps (e.g., Cobalt 5%) keep pace with cost; effective pricing per cohort unverifiable. | To benchmark effective per-account pricing and assess discounting consistency across the enterprise cohort and renewal uplift assumptions. | Provide the current standard rate card / price book and discount-approval policy. | commercial |
| P3 | Missing_Data | Most Favored Nation (MFN) / price-parity clause | Low — searched all four MSAs and the Cobalt order form; no MFN, price-parity, or most-favored-customer language found. Recorded as Not_Found per extraction guidance. | MFN/best-price clauses would constrain future pricing and create cross-customer repricing exposure. | Confirm no customer agreement contains MFN, price-parity, or most-favored-customer provisions. | commercial |
| P3 | Missing_Data | Exclusivity / sole-provider clause | Low — all access grants are expressly 'non-exclusive'; no exclusivity, sole-provider, or preferred-vendor language found in any agreement. Recorded as Not_Found. | Exclusivity or preferred-vendor status would affect competitive positioning and customer lock-in valuation. | Confirm no customer agreement grants exclusivity or sole/preferred-vendor status. | commercial |
| P2 | Missing_Doc | SOC 2 (Type I/II) report or equivalent independent security audit for the Northwind TMS platform | Security posture cannot be independently verified; undisclosed control gaps could surface post-close as customer audit failures, breach liability, or remediation cost. | Customer MSAs commit to 'commercially reasonable' and 'industry standard' security safeguards and the Tidewater DPA Annex 1 represents a full TOM set (AES-256 at rest, TLS 1.2+, MFA, IDS, annual pentest). Independent attestation is needed to validate these claims for a SaaS platform processing enterprise and EU personal data. | Provide the most recent SOC 2 Type II report (or ISO 27001 certificate) covering the TMS platform, including scope, period, and any noted exceptions. | producttech |
| P2 | Missing_Doc | Independent penetration test report referenced by the Tidewater DPA Annex 1 | Unable to confirm pentest cadence is met or whether material findings remain open; potential unremediated vulnerabilities affecting customer/EU data. | DPA Annex 1 item 6 commits to 'Annual penetration testing by an independent third party.' The actual report (findings, severities, remediation status) is needed to assess current security posture and open vulnerabilities. | Provide the two most recent independent penetration test reports with finding IDs, severities, and remediation status. | producttech |
| P2 | Missing_Doc | Data Processing Addendum for Cobalt Retail Group (referenced as incorporated into the MSA but absent) | Cannot verify data-protection terms, sub-processor obligations, or breach-notification commitments for a 23.3%-of-ARR customer; potential undisclosed obligations. | Cobalt Order Form Section 5.4 states 'Provider's processing of Customer personal data is governed by the Data Processing Addendum incorporated into the MSA,' but no Cobalt DPA (or the underlying Cobalt MSA dated Dec 18 2024) is present. Cobalt is the second-largest account (23.3% ARR). | Provide the executed Cobalt Retail Group MSA (dated December 18, 2024) and the incorporated Data Processing Addendum. | producttech |
| P2 | Missing_Doc | Platform architecture / integration specification and technology-stack documentation | Integration cost and migration complexity cannot be estimated; hidden technical debt or scalability constraints may surface post-close. | No technical architecture diagram, integration/API specification, technology-stack inventory, or capacity/scalability plan is present. These are needed to assess migration complexity into Summit, integration effort, vendor lock-in, and ability to meet 99.9% SLAs. | Provide platform architecture documentation, the carrier/EDI integration spec (Cobalt order references up to 75 connected carriers + EDI gateway), technology-stack inventory, and any capacity/scaling plans. | producttech |
| P1 | Missing_Doc | Executed Article 28 DPA and EU SCCs between Northwind and TelemetryWorks Inc. | Ongoing unlawful Chapter V transfer of EU personal data; GDPR enforcement exposure (fines up to 4% of global turnover) and breach of the Tidewater DPA; potential customer termination/claim. | TelemetryWorks actively processes EU driver telemetry in the USA with no DPA and no transfer mechanism (see finding above). Executed SCCs and an Article 28 DPA are legally required to lawfully continue the data flow. | Provide executed EU 2021 controller-to-processor SCCs and an Article 28 DPA with TelemetryWorks, a transfer-impact assessment, and confirmation of Tidewater notification / Annex 2 update — or confirmation that telemetry has been re-routed to EEA-hosted analytics. | producttech |
| P2 | Contradiction | Reconciliation of Tidewater DPA execution date (1 March 2025 on the signed DPA vs 2024-09-12 cited in the Sub-Processor Register) | Uncertainty over which DPA version and Annex 2 list is authoritative; weakens reliance on the GDPR documentation set. | The signed DPA is dated 1 March 2025; the Sub-Processor Register states the Tidewater DPA was executed 2024-09-12. The correct effective/execution date is needed to establish the compliance timeline and which sub-processor list governs. | Confirm the correct Tidewater DPA execution date and provide all DPA versions/amendments with their effective dates. | producttech |
| P2 | Missing_Doc | SOC 2 Type II report | Cannot independently verify that the controls represented in the Tidewater DPA Annex 1 are actually implemented and operating; may impede enterprise customer retention/new-logo acquisition. | Standard evidence of operating effectiveness of security controls for a B2B SaaS provider; enterprise customers (Meridian, Cobalt) typically require it. | Provide the most recent SOC 2 Type II report (and bridge letter) including scope, period, and any noted exceptions. | cybersecurity |
| P2 | Missing_Doc | ISO/IEC 27001 certificate | No evidence of a recognized security governance framework or its certification status; framework maturity unverifiable. | Confirms an established, audited information security management system (ISMS) and current certification validity. | Provide ISO 27001 certificate with scope statement and validity dates, or confirm no certification is held. | cybersecurity |
| P2 | Missing_Doc | Independent penetration test report | Cannot assess outstanding high/critical vulnerabilities or remediation posture; contractual commitment to annual pentest is unverified. | The Tidewater DPA Annex 1 commits to 'Annual penetration testing by an independent third party'; the report itself evidences findings and remediation status. | Provide the most recent independent penetration test report with finding IDs, severities, and remediation status. | cybersecurity |
| P2 | Missing_Doc | Incident response plan (IRP) document | Cannot confirm breach detection/response capability or whether the 72-hour notification obligation can be met. | The DPA commits to 'Documented incident-response and business-continuity procedures' and a 72-hour breach-notification obligation; the plan evidences readiness, last review date, and tabletop exercises. | Provide the documented incident response plan, last review/test date, and any tabletop exercise results. | cybersecurity |
| P2 | Missing_Data | Data breach / security incident history disclosure | Undisclosed breaches affecting customer/driver PII could surface post-close as liability; no representation found either way. | Required to assess undisclosed breaches, regulatory notifications, and residual liability; a core DD item for a PII-processing SaaS. | Provide a written breach/incident history (last 5 years), including any regulatory notifications and remediation, or a no-incident representation. | cybersecurity |
| P3 | Missing_Doc | Access control / MFA and identity governance policy | Cannot confirm MFA is enforced for all privileged accounts or that access reviews actually occur. | The DPA commits to MFA for admin/production access, RBAC, and quarterly access reviews; the underlying policy evidences enforcement scope and exceptions. | Provide the access control / identity management policy and evidence of the most recent quarterly access review. | cybersecurity |
| P3 | Missing_Doc | Vulnerability management program / recent scan results | Unknown exposure to unpatched vulnerabilities in the production platform. | Evidences patch cadence, scan frequency, and outstanding vulnerabilities. | Provide the vulnerability management policy and the two most recent scan summaries. | cybersecurity |
| P2 | Missing_Doc | Executive employment agreements and post-close retention/non-compete agreements for CEO (Signatory A) and Co-Founder (Holder Y) and other key personnel | Founder/key-talent departure at or shortly after closing with no restrictive covenants could impair operations, customer relationships, and product continuity; retention packages may need to be negotiated pre-close. | Founders hold 49.54% FD and the CEO is the central key person across the company; the acquirer needs to know whether founders/key staff are contractually retained post-close, subject to non-competes, and on what compensation terms. | Provide all executive employment agreements, offer letters, retention/stay-bonus agreements, earn-out terms, and any non-compete/non-solicit covenants for the CEO, co-founder, and named key personnel. | hr |
| P2 | Missing_Doc | Option grant schedule with vesting and change-of-control acceleration terms (Exhibit B), and employee equity/CoC acceleration policy | Cannot quantify unvested retention overhang or golden-parachute/CoC acceleration cost; cannot assess whether key engineers have a stay incentive post-close. | Unvested equity and single/double-trigger CoC acceleration determine the cost and effectiveness of employee retention in the acquisition and the dilution/parachute exposure to the buyer. | Provide the full option grant schedule (grant date, strike, vesting, cliff), the equity incentive plan document, and any change-of-control acceleration provisions applicable to employee equity. | hr |
| P3 | Missing_Data | Organizational chart, headcount roster, and workforce composition (by function, location, FT/PT/contractor) | Cannot assess bench strength, single-points-of-failure beyond the contractor/founders, or WARN-Act exposure from any planned reductions. | Baseline workforce composition is needed to assess organizational structure, succession bench strength, key-person concentration, and integration planning. | Provide a current org chart, full headcount roster by department and location, and a breakdown of employees vs. independent contractors. | hr |
| P3 | Missing_Doc | Benefits documentation (health/welfare plans, 401(k)/retirement, deferred compensation) and any pension/post-retirement obligations | Unquantified benefits liabilities or deferred-compensation obligations could surface post-close; benefits harmonization costs unknown. | Required to quantify benefits liabilities (funded status, deferred comp, accrued PTO) and assess assumption/transition costs in the acquisition. | Provide summary plan descriptions for all employee benefit plans, 401(k)/retirement plan documents and funded status, deferred-compensation arrangements, and accrued PTO/leave liability. | hr |
| P3 | Missing_Data | Labor compliance certifications, outstanding wage/hour or employment claims, and union/collective-bargaining status | Undisclosed employment litigation or labor exposure could create post-close liability not reflected in the purchase price. | Needed to confirm no pending employment litigation, labor-board proceedings, or CBA exposure, and to assess multi-jurisdiction (incl. any EU/international staff) labor compliance. | Provide a schedule of any pending or threatened employment claims, wage/hour audits, labor-board matters, and confirmation of union/CBA status and worker-classification methodology. | hr |
| P2 | Missing_Doc | Federal and state income tax returns (and any foreign returns) for all open years | Undetected open-year liabilities, uncertain tax positions, or non-filing in states/countries where nexus exists transfer to the buyer in a stock deal. | Required to assess income-tax compliance, open-year exposure, effective tax rate, and the accuracy of the tax provision for a Delaware C-corp acquired on a stock basis. | Provide all filed federal, state, and foreign income tax returns for the last 3-4 open years, plus any extensions, amended returns, and audit correspondence. | tax |
| P2 | Missing_Data | NOL / tax-attribute schedule and Section 382 ownership-change analysis | If material NOLs exist, the Section 382 annual limitation could sharply reduce or eliminate their value to the buyer; the benefit cannot be quantified or priced without the attribute schedule and a 382 study. | Northwind is a venture-funded startup (incorporated 2018, Series A/B) that likely has NOL carryforwards. Summit's acquisition of >50% of the equity is a Section 382 ownership change that would limit post-change NOL utilization. | Provide NOL and tax-credit carryforward schedules by jurisdiction with expiration, prior ownership-change (382) studies, and any built-in gain/loss analysis. | tax |
| P2 | Missing_Doc | Transfer-pricing documentation for intra-group U.S.-Germany (EEA branch) operations | Absent transfer-pricing documentation, German and U.S. authorities could reassess intercompany charges, with penalties; PE attribution of profits to Germany may be undocumented. | The Tidewater DPA discloses intra-group EEA branch operations in Frankfurt; intercompany services between the U.S. parent and the German branch/affiliate require arm's-length pricing support (local file/master file) and may trigger CbCR considerations. | Provide transfer-pricing documentation (master/local file), intercompany services agreements, and any APAs covering the U.S.-Germany operations. | tax |
| P2 | Missing_Doc | Sales/use tax nexus study, state registrations, and collection/remittance records | Uncollected SaaS sales tax (plus penalties/interest) across multiple states becomes a buyer liability in a stock acquisition; magnitude is unquantifiable without the study. | Needed to determine in which states SaaS is taxable and where Northwind has physical or economic nexus, and to verify whether sales/use tax has been collected and remitted. | Provide any sales/use tax nexus study, state sales-tax registrations, returns filed, exemption certificates collected, and any voluntary disclosure agreements. | tax |
| P2 | Missing_Data | EU/German VAT registration status and VAT returns | Unregistered/uncollected VAT and incorrect place-of-supply treatment create EU VAT assessments plus penalties and interest. | EUR-billed EU revenue (Tidewater, $3.1M) combined with apparent German fixed establishment raises VAT registration, charging, and reporting obligations that must be confirmed. | Confirm EU/German VAT registration status, provide VAT returns, and explain VAT treatment of EU SaaS sales (reverse charge vs. local charge) given any German establishment. | tax |
| P3 | Missing_Data | Tax provision / ASC 740 reserve detail (including uncertain tax positions) | Unreserved tax exposures could surface post-close as unrecorded liabilities; the buyer cannot assess provision adequacy. | Needed to evaluate whether reserves adequately cover the sales-tax nexus, PE/VAT, and worker-classification exposures identified, and to validate the deferred-tax effect of the Cobalt prepayment timing difference. | Provide the tax provision workpapers, ASC 740 UTP analysis, and deferred-tax schedules for the most recent periods. | tax |
| P1 | Missing_Doc | Executed SCCs and Article 28 DPA between Northwind and TelemetryWorks Inc. (US sub-processor) | Continued unlawful international transfer of EU personal data; supervisory-authority enforcement and Art. 83 fines (up to 4% global turnover); Tidewater contractual breach and potential termination of a 7.5%-of-ARR EU account. | Required to establish a lawful GDPR Chapter V transfer basis for EU driver telemetry sent to the US and to satisfy the Tidewater DPA §5.2/§5.3 sub-processor flow-down obligations. The register confirms none exist. | Provide executed SCCs (Module Two, controller-to-processor), an executed Article 28 DPA with TelemetryWorks, and a transfer-impact assessment; or evidence that telemetry has been re-routed to EEA-hosted analytics. | regulatory |
| P3 | Missing_Doc | Material licenses, permits, and regulatory authorizations inventory + transferability/CoC consent analysis | Cannot confirm absence of license-transfer obstacles. Risk is low given SaaS business model typically requires no industry operating licenses, but absence should be confirmed. | Standard regulatory DD requires inventory of any operating licenses/permits and assessment of whether they transfer or require consent on change of control. Northwind is a B2B SaaS TMS provider; no license documents are present in the data room. | Confirm whether the company holds any material operating licenses, permits, or regulatory registrations (e.g., FMCSA/broker authority, telecom, or data-broker registrations) and whether any require consent or re-application on the Summit acquisition. | regulatory |
| P3 | Missing_Data | Regulatory enforcement / investigation status representation (GDPR supervisory authority, any sector regulator) | Undisclosed regulatory enforcement (e.g., a Belgian DPA complaint arising from the TelemetryWorks transfer) could create post-close liability. | To confirm there are no active or pending regulatory investigations, enforcement actions, or consent decrees. The board deck (DD-output) flags no such items, but no affirmative no-enforcement representation is in the data room. | Provide a representation as to any pending/threatened regulatory investigations, complaints, or enforcement actions, including any DPA inquiries relating to the disclosed TelemetryWorks transfer gap. | regulatory |
| P3 | Missing_Data | Carbon emissions profile (Scope 1, 2, and 3) and cloud-hosting energy/emissions data | Combined-entity climate disclosure (SEC climate rule / CSRD if EU footprint scales) cannot be prepared without a baseline; energy-cost and carbon-pricing exposure of hosting cannot be quantified. | No greenhouse-gas inventory or carbon data exists anywhere in the data room. As a cloud SaaS company, Northwind's principal climate exposure is Scope 2 (purchased electricity for hosting) and Scope 3 (cloud infrastructure vendors such as CloudHarbor EU GmbH, ArchiveVault EU, Aurora Cloud Hosting GmbH). The acquirer (Summit Industrial Group) operates physical fleets, so consolidated climate-disclosure readiness will require Northwind's emissions baseline. | Provide any GHG inventory, cloud provider energy/carbon reports, or renewable-energy commitments for Northwind's hosting footprint (Frankfurt EEA region and others). | esg |
| P3 | Missing_Doc | ESG governance structure, board ESG oversight, and materiality / double-materiality assessment | No structured identification of material ESG risks; the combined entity may need to stand up ESG governance and reporting from scratch post-close. | The Q1 2026 board deck enumerates key risks (concentration, competition, hiring, macro freight softness) but lists no ESG, climate, environmental, or sustainability risk and shows no board-level ESG oversight or materiality assessment. Acquirers increasingly expect a baseline ESG governance structure for integration and disclosure alignment (TCFD/SASB/GRI/CSRD). | Provide any ESG/sustainability policy, board committee charter covering ESG/climate, and any materiality assessment. | esg |
| P3 | Missing_Doc | Environmental site assessments (Phase I/II ESA) for any owned or leased real property | Low residual risk that a leased/owned facility carries environmental liability not surfaced in the data room. | Standard environmental DD checklist item. As a cloud software company headquartered in Columbus, Ohio with no disclosed manufacturing, land holdings, or hazardous-materials operations, contamination/CERCLA exposure is inherently low, but no real-property schedule or ESA was provided to confirm the absence of owned/leased sites with environmental liability. | Confirm Northwind holds no owned real property and provide a list of leased premises; confirm no past operations involved hazardous materials or contaminated sites. | esg |
| P3 | Missing_Data | ESG disclosure / CSRD applicability assessment for EU activities | If EU presence grows under Summit, CSRD/ESRS reporting obligations could attach without preparation; misjudging scope could create non-compliance exposure. | Northwind serves an EU customer (Tidewater Distribution N.V., Belgium) and operates an intra-group EEA branch in Frankfurt (per Tidewater DPA Annex 2). Whether the entity or the post-close group triggers CSRD or other EU non-financial disclosure obligations is not assessed in the data room. | Provide an assessment of EU establishment size (headcount, turnover) and any analysis of CSRD/ESRS or local non-financial reporting applicability for the Frankfurt branch and EU operations. | esg |
Reference (0 findings, 5 gaps) ▶
Gaps
| Priority | Type | Missing Item | Risk | Why Needed | Request to Company | Agent |
|---|---|---|---|---|---|---|
| P3 | Missing_Doc | Cybersecurity content in acquirer reference overview | None for cybersecurity scope — this is acquirer context only and is explicitly not routed for findings. Data-privacy/GDPR posture is flagged as a buyer diligence focus area, which is addressed via the target's documents. | The buyer_overview.pdf.md is an acquirer-context reference document; it contains no cybersecurity posture, breach history, certifications, or security obligations to analyze. | No request required; security diligence is conducted against the target (Northwind) documents. | cybersecurity |
| P3 | Missing_Data | Any workforce, compensation, benefits, or labor-compliance content for the target (none present in reference subject) | None at the reference-subject level; HR analysis is performed against the target's own documents. | The _reference subject contains only the acquirer-context overview, which is explicitly not routed for findings; HR workforce data for the target resides under the Northwind_Logistics subject. | No request specific to this subject; workforce documentation requests are recorded against the Northwind_Logistics subject. | hr |
| P3 | Missing_Doc | Deal-structure tax analysis (stock vs. asset / 338(h)(10) or 336(e) election) for the acquisition | Without a defined structure and election analysis, the buyer cannot assess inheritance of historical tax liabilities, NOL preservation/limitation, or the value of a potential asset step-up. | The buyer overview confirms a 100% acquisition of a Delaware C-corp but does not specify whether the transaction is structured as a stock or asset purchase, nor whether any step-up election (e.g., 338(h)(10), 336(e)) is contemplated. This drives whether historical tax liabilities and attributes (including Section 382-limited NOLs) carry over to the buyer and whether a basis step-up is available. | Provide the draft purchase agreement structure, any tax structuring memo or opinion, and confirmation of any contemplated step-up elections. | tax |
| P3 | Missing_Doc | Antitrust / merger-control (HSR) filing analysis for the Summit–Northwind acquisition | Unassessed antitrust filing obligation could delay closing or expose parties to gun-jumping/penalty risk; however, target size suggests likely below US HSR threshold. | The buyer overview confirms a 100% acquisition of Northwind (~$41.2M ARR) by Summit Industrial Group, expected to close Q3 2026. A determination of whether the transaction meets the Hart-Scott-Rodino size-of-transaction threshold (or any non-US merger-control thresholds) is needed to confirm closing timeline and filing obligations. | Provide deal-value/consideration figures and confirm whether HSR or any foreign merger-control filing is required, with counsel's assessment. | regulatory |
| P3 | Missing_Data | Acquirer (Summit Industrial Group) ESG / carbon profile and Northwind ESG baseline for post-close integration | Combined entity may face climate-disclosure obligations (e.g., SEC climate rule, CSRD if EU footprint scales) without a baseline emissions inventory; integration ESG synergies/risks cannot be quantified. | The acquirer overview describes Summit Industrial Group as an industrial/logistics platform with 'existing fleet operations,' which carry direct Scope 1 carbon exposure. No ESG baseline (carbon, governance, disclosure) is provided for either the acquirer or the target to support post-close ESG integration or consolidated climate-disclosure readiness. | Provide Summit Industrial Group's most recent GHG inventory (Scope 1/2/3) and any ESG/sustainability reporting, plus Northwind's cloud-hosting energy/emissions data, to establish a consolidated ESG baseline. | esg |
Analyst Configuration
Default configuration
Default configuration — all agents enabled, no overrides.
Methodology & Limitations
Analysis Process
This due diligence report was generated through automated analysis of the target company's data room documents using specialized AI agents. The process follows a deterministic 38-step pipeline with 5 blocking quality gates.
2
Entities Analyzed
44
Findings Extracted
54
Gaps Identified
18
Data Points Reconciled
Agent Coverage
| Domain | Findings | Risk Level |
|---|---|---|
| Legal | 9 | High |
| Finance | 5 | High |
| Commercial | 9 | High |
| Product & Tech | 3 | Medium |
| Cybersecurity | 4 | Medium |
| HR / People | 5 | Low |
| Tax | 4 | Low |
| Regulatory | 4 | Medium |
| ESG | 1 | Low |
Data Quality
- Cross-reference match rate: 72% (13 matches, 5 mismatches of 18 data points)
- Average governance resolution: 0%
Known Limitations
- Analysis is limited to documents provided in the data room. Documents not included may contain material information.
- Financial figures extracted from contract text are best-effort and may not reflect current values.
- Unreadable or corrupted documents are flagged as gaps but cannot be analyzed.
- AI-generated findings should be verified by legal and financial advisors before making investment decisions.
- Cross-reference reconciliation depends on data availability in both contract documents and reference sources.